Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 34669 - policy file for daemontools
Summary: policy file for daemontools
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Chris PeBenito (RETIRED)
Depends on:
Reported: 2003-11-28 23:23 UTC by petre rodan (RETIRED)
Modified: 2004-02-07 01:24 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

file_contexts (svc.fc,2.24 KB, text/plain)
2003-11-28 23:24 UTC, petre rodan (RETIRED)
type enforcement file (svc.te,5.02 KB, text/plain)
2003-11-28 23:24 UTC, petre rodan (RETIRED)
file contexts (daemontools.fc,2.07 KB, text/plain)
2003-12-03 13:22 UTC, petre rodan (RETIRED)
type enforcement (daemontools.te,5.09 KB, text/plain)
2003-12-03 13:23 UTC, petre rodan (RETIRED)
type enforcement (daemontools.te,5.17 KB, text/plain)
2003-12-09 07:19 UTC, petre rodan (RETIRED)
macro te file (daemontools.te,214 bytes, text/plain)
2003-12-12 02:02 UTC, petre rodan (RETIRED)
type enforcement (daemontools.te,5.31 KB, text/plain)
2003-12-12 02:03 UTC, petre rodan (RETIRED)
type enforcement (daemontools.te,5.16 KB, text/plain)
2004-01-11 10:19 UTC, petre rodan (RETIRED)

Note You need to log in before you can comment on or make changes to this bug.
Description petre rodan (RETIRED) gentoo-dev 2003-11-28 23:23:23 UTC
daemontools now run in their own svc_t domain.
Comment 1 petre rodan (RETIRED) gentoo-dev 2003-11-28 23:24:19 UTC
Created attachment 21445 [details]
Comment 2 petre rodan (RETIRED) gentoo-dev 2003-11-28 23:24:57 UTC
Created attachment 21446 [details]
type enforcement file
Comment 3 petre rodan (RETIRED) gentoo-dev 2003-11-28 23:41:06 UTC
works with the qmail policy from the cvs repository (the one made by Russel), also tested with tcpserver based daemons and ssh. 
more daemons comming soon.
Comment 4 petre rodan (RETIRED) gentoo-dev 2003-12-03 13:22:50 UTC
Created attachment 21653 [details]
file contexts
Comment 5 petre rodan (RETIRED) gentoo-dev 2003-12-03 13:23:36 UTC
Created attachment 21654 [details]
type enforcement

latest meanest cleanest
Comment 6 petre rodan (RETIRED) gentoo-dev 2003-12-09 07:19:15 UTC
Created attachment 21922 [details]
type enforcement
Comment 7 Chris PeBenito (RETIRED) gentoo-dev 2003-12-09 12:12:33 UTC
are all of your other policies dependant on this?
Comment 8 Chris PeBenito (RETIRED) gentoo-dev 2003-12-09 13:12:07 UTC
Committed to policy cvs.  I set all of the file context lines in the following sections to match only regular files:

# supervise scripts
# supervise init binaries
# programs that impose a given environment to daemons
# helper programs
# daemontools logger

The practice now is to try to specify the type of the file where possible.  Are these specifications ok?
Comment 9 petre rodan (RETIRED) gentoo-dev 2003-12-12 02:02:14 UTC
Created attachment 22076 [details]
macro te file

macro file that defines svc_ipc_domain.

this makes signal sending and fd definitions easier for policies that use
Comment 10 petre rodan (RETIRED) gentoo-dev 2003-12-12 02:03:42 UTC
Created attachment 22078 [details]
type enforcement

svc_ipc_domain is defined as an external macro
Comment 11 petre rodan (RETIRED) gentoo-dev 2003-12-12 04:33:07 UTC
your modifications related to the type of files are fine.

pls also update the type enforcement file, because I made a few additions besides the macro stuff.
Comment 12 Chris PeBenito (RETIRED) gentoo-dev 2003-12-12 07:40:24 UTC
Committed.  If you keep making changes, this will never make it to portage :)
Comment 13 Chris PeBenito (RETIRED) gentoo-dev 2003-12-20 22:56:49 UTC
Committed to portage, please check it out to make sure its ok.  It doesn't have any dependancies (daemontools will optionally depend on selinux-daemontools eventually).
Comment 14 petre rodan (RETIRED) gentoo-dev 2003-12-22 02:52:54 UTC
great, thanks for the ebuild

and now, since it's in portage, I'm allowed to make changes to it, right ;)

the following rules are needed in order to control the supervise scripts from a tty (I kinda use them only through a ssh connection):

# Read and write the console and ttys.
allow svc_script_t console_device_t:chr_file rw_file_perms;
allow svc_script_t tty_device_t:chr_file rw_file_perms;
allow svc_script_t ttyfile:chr_file rw_file_perms;
allow svc_script_t ptyfile:chr_file rw_file_perms;
allow svc_start_t console_device_t:chr_file rw_file_perms;
allow svc_start_t tty_device_t:chr_file rw_file_perms;
allow svc_start_t ttyfile:chr_file rw_file_perms;
allow svc_start_t ptyfile:chr_file rw_file_perms;

dontaudit svc_script_t sysadm_home_dir_t:dir { getattr search };
dontaudit svc_start_t sysadm_home_dir_t:dir { getattr search };
Comment 15 Chris PeBenito (RETIRED) gentoo-dev 2003-12-24 21:40:02 UTC
This pty/tty stuff makes me nervous.  Are you sure its required?  From what I've seen, daemons get along fine without it.
Comment 16 petre rodan (RETIRED) gentoo-dev 2003-12-27 01:39:42 UTC
sys-apps/supervise-scripts is a package with a bunch of bash scripts that make life easier controlling the svc daemons.

without those pty/tty stuff those scripts won't work if sysadm is logged in over the terminal, but they will work over a ssh connection. 

in 95% of the cases i control them over ssh, but there are cases when there is the need to control them from the console.

a Happy New Year to you,
Comment 17 bornsilly 2003-12-29 14:55:37 UTC
the deamontools.fc file point to /var/services while the default gentoo install for deamontools puts the files in /services.

/var/services/.* entries therefor need to be updated to /services/.*
Comment 18 Joshua Brindle (RETIRED) gentoo-dev 2003-12-29 15:02:28 UTC
why does this need read/write to [pt]ty's? shouldn't the scripts just read and write from stdin and stdout? this is a security risk if the supervise scripts execute something that is malicious it will be able to read and write to other peoples terminals. Bad Bad idea...
Comment 19 petre rodan (RETIRED) gentoo-dev 2003-12-29 23:15:32 UTC

/service/<daemon> should be a simlink to /var/service/<daemon>
with this, you can have any number of <daemon>s in /var/sevice
and add them when there is the need using supervise-scripts


pls try this:

cat << EOF > /usr/bin/svc-test
echo eee

chmod 755 /usr/bin/svc-test
chcon system_u:object_r:svc_script_exec_t /usr/bin/svc-test

/usr/bin/svc-test will work over ssh, but will not work on the console if the {p,t}ty stuff is missing.

funny thing is that 
cat << EOF > /usr/bin/svc-test
echo eee
chmod 755 /usr/bin/svc-test
chcon system_u:object_r:svc_script_exec_t /usr/bin/svc-test

(without the #!/bin/sh) will work both ways without the {p,t}tty stuff.
anyone knows why?

Comment 20 Chris PeBenito (RETIRED) gentoo-dev 2004-01-04 18:05:42 UTC
I have two thoughts on this.  First, for the tty/pty stuff, this rule may be sufficient:

allow { svc_script_t svc_start_t } admin_tty_type:chr_file rw_file_perms;

Also, I was thinking that this might be better if it were to be run through run_init, since this does similar things as the init scripts.  There would just have to be domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t).  I'm not sure if this would work, but it seems like something to consider.  Then it would remove the sysadm_t auto transition.
Comment 21 petre rodan (RETIRED) gentoo-dev 2004-01-11 10:19:52 UTC
Created attachment 23605 [details]
type enforcement

run_init now controls svc_script_t and svc_start_t
Comment 22 Chris PeBenito (RETIRED) gentoo-dev 2004-02-03 20:10:36 UTC
committed to portage
Comment 23 petre rodan (RETIRED) gentoo-dev 2004-02-07 01:24:49 UTC
as far as sys-apps/daemontools is concerned, the run_init works well.

sys-apps/supervise-scripts still needs something for '/usr/bin/svc-status' in order to work with run_init. 
unfortunatelly, the error is masked (probably by some dontaudit rule). I will look into this once I'll get some time. 

one can still use 
run_init svstat /service/$servicename 
directly to get the status of a svc-controlled daemon, so it's not a major problem