In this example, the desired end state is for SELinux to allow httpd
to connect and write to UNIX Stream Sockets (in order for PHP apps to
connect to database via a file socket rather than a TCP socket, as
frequent connections over TCP were exhausting available TCP ports).
CFEngine creates the SELinux policy text file with the appropriate
SELinux directives, compiles, packages and loads the policy.
Here is an example of CFEngine doing this repair:
[root@mil-mail00 verticalsysadmin_training_examples]# cf-agent -b
example -K -f
./files__selinux__allow_httpd_to_connect_to_and_to_write_to_stream_sockets__for_pgbouncer.cf
-I
>> Using command line specified bundlesequence
-> Created directory /root/SELINUX/.
-> Created file
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.te,
mode = 600
-> Edited file
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.te
-> Executing '/usr/bin/checkmodule -M -m -o
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.mod
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.te
&& /usr/bin/semodule_package -o
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.pp
-m
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.mod
&& /usr/sbin/semodule -i
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.pp'
...(timeout=-678,owner=-1,group=-1)
Q: "...heckmodule -M ": /usr/bin/checkmodule: loading policy
configuration from
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.te
Q: "...heckmodule -M ": /usr/bin/checkmodule: policy configuration loaded
Q: "...heckmodule -M ": /usr/bin/checkmodule: writing binary
representation (version 6) to
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.mod
I: Last 3 quoted lines were generated by promiser
"/usr/bin/checkmodule -M -m -o
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.mod
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.te
&& /usr/bin/semodule_package -o
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.pp
-m
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.mod
&& /usr/sbin/semodule -i
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.pp"
-> Completed execution of /usr/bin/checkmodule -M -m -o
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.mod
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.te
&& /usr/bin/semodule_package -o
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.pp
-m
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.mod
&& /usr/sbin/semodule -i
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.pp
[root@mil-mail00 verticalsysadmin_training_examples]#
Here is the policy source code:
{{{
body common control {
inputs => { "/var/cfengine/inputs/cfengine_stdlib.cf" };
}
bundle agent
files__selinux__allow_httpd_to_connect_to_and_to_write_to_stream_sockets__for_pgbouncer
{
classes:
"allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles_module_is_loaded"
expression => returnszero("/usr/sbin/semodule -l | /bin/grep
allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles
>/dev/null", "useshell");
methods:
!allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles_module_is_loaded::
"any" usebundle => compile_and_package_and_load_selinux_module;
}
bundle agent compile_and_package_and_load_selinux_module {
files:
"/root/SELINUX/."
create => "true",
comment => "/root/SELINUX is just a scratch space for
SELinux policy files as we compile, package and load SELinux policy
modules.";
files:
"/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.te"
create => "true",
perms => m("0600"),
edit_line =>
Allow_Httpd_To_Connect_To_Unix_Stream_Sockets_And_To_Write_To_Socket_Files,
comment => "httpd connects to Postgres database through
pgbouncer. we want httpd to connect to pgbouncer using a socket file
instead of over TCP/IP, because we've had instances w
here PHP pages that connect to the database a lot in quick succession
use up all available network ports and subsequent connection attempts
fail.";
commands:
"/usr/bin/checkmodule -M -m -o
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.mod
\
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.te
&& \
/usr/bin/semodule_package -o
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.pp
\
-m
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.mod
&& \
/usr/sbin/semodule -i
/root/SELINUX/allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles.pp",
comment => "Compile the module, Create the package, Load
the module into the kernel.",
contain => in_shell;
}
bundle edit_line
Allow_Httpd_To_Connect_To_Unix_Stream_Sockets_And_To_Write_To_Socket_Files
{
delete_lines: ".*";
insert_lines:
"
# This file was generated by CFEngine
module allowHttpdToConnectToUnixStreamSocketsAndToWriteToSocketFiles 1.0;
require {
type httpd_t;
type tmp_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t tmp_t:sock_file write;
"
insert_type => "preserve_block";
}
}}}
Notes:
1. CFEngine parses the output of "semodule -l" to find out if the
module is loaded. It does so using /bin/grep. Is there a compact way
(within the same promise) of doing it natively?
2. This policy could be rewritten to check for and load any custom
policy - in other words instead of "pass the salt", set up a policy to
pass arbitrary condiments. :) Patches welcome.
Best,
Aleksey
--
Upcoming Trainings:
"Time Management for System Administrators" 28 Sep 2012 at Ohio Linux Fest (
http://ohiolinux.org/register)
"Editing with vi" 28 Sep 2012 at Ohio Linux Fest (
http://ohiolinux.org/register)
"Automating System Administration with CFEngine 3" 22-25 Oct 2012 in Palo
Alto, CA (http://cfengine.eventbrite.com/)
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
