[refpolicy] Single init script for multiple daemons

[refpolicy] Single init script for multiple daemons

[Mladen Sekara]

Posted the question originally on main selinux mailing list, but as
suggested it seems it belongs here. Apologies for long email.

Anyway, I hope someone can provide some help and guidance.

The problem:
----------------------------------------------------------------------
One application, multiple components/daemons.
Some files are specific to a daemon, some are shared between them (eg.
log files are unique, some config files, keystores... are shared etc.)

All daemons start from a single init script and I am not allowed to
change it.

Options:

1. Create policy for each component and then domain transition between
them (what about shared files, eg. init script that starts both
daemons???)
2. Create a single policy for multiple daemons?
------------------------------------------------------------------------

Advice was to create a single policy with multiple domains for each
daemon + domain for shared resources.



Now, would this be the right approach:
--------------------------------------------------------------------------
- Create a single policy with multiple domains
-- Create separate domains for each daemon + domain for shared resources
-- Transition between them where needed

If the file structure is:
/opt/myapp/bin/daemon1 (daemon1_exec_t)
/opt/myapp/bin/daemon2 (daemon2_exec_t)
/opt/myapp/bin/start_all - (start script for both daemon1 and daemon2)
(myapp_initrc_exec_t) 
/opt/myapp/all_shared_resources (myapp_t)
/etc/init.d/sym_link_to_start_all (sym link to /opt/myapp/bin/start_all)

Can I have:
type myapp_initrc_exec_t;
init_script_file(myapp_initrc_exec_t)

for daemon1: init_daemon_domain(daemon1_t, daemon1_exec_t)
for daemon2: init_daemon_domain(daemon2_t, daemon2_exec_t)
...
---------------------------------------------------------------------------

Any advice?

[refpolicy] Single init script for multiple daemons

[Dominick Grift]

On Fri, 2014-05-16 at 14:16 +1000, Mladen Sekara wrote:
> Posted the question originally on main selinux mailing list, but as
> suggested it seems it belongs here. Apologies for long email.
> 
> Anyway, I hope someone can provide some help and guidance.
> 
> The problem:
> ----------------------------------------------------------------------
> One application, multiple components/daemons.
> Some files are specific to a daemon, some are shared between them (eg.
> log files are unique, some config files, keystores... are shared etc.)
> 
> All daemons start from a single init script and I am not allowed to
> change it.

init_script_domain() will let init domain transition on the script to a
specified domain, rather then initrc_t

this allows you to to use that specified type to specify further domain
transitions to each individual application.

This allows you to confine various services all started from a single
init script in individual domain.

See the hadoop policy module for an example.

Its a common issue with java services.

Mind though that although this works in simple scenarios, it does have
quirks in situations where you for example have to use run_init.

But in simple common scenarios this solution should work

[refpolicy] Single init script for multiple daemons

[Mladen Sekara]

Thanks Dominick.

Could you please elaborate a bit further on use of init_script_domain.

I had a look at hadoop policy module, but it seems haddop has multiple
init scripts for different daemons (don't know much about hadoop and
it's internals though). It has a reference to init_script_domain() in
interface file, but with my SELinux experience, I couldn't make much
sense of it.

In my case I have a single init script starting multiple daemons:

/etc/init.d/start_all (myapp_initrc_exec_t) -> /opt/myapp/start_all
/opt/myapp/bin/daemon1 (domain1_exec_t)
/opt/myapp/bin/daemon2 (domain_exec_t) 

So, just to clarify, in this case I would have:

init_script_domain(daemon1_t, daemon1_exec_t)... ???
init_script_domain(daemon2_t, daemon2_exec_t)... ???

or
init_daemon_domain(daemon1_t, daemon1_exec_t)
init_daemon_domain(daemon2_t, daemon2_exec_t)

Mladen Sekara <dev@emefes.com>


On Fri, 2014-05-16 at 14:09 +0200, Dominick Grift wrote:
> to confine various services all started from a single
> init script in individual domain.
> 
> See the hadoop policy module for an example

[refpolicy] Single init script for multiple daemons

[Christopher J. PeBenito]

On 05/18/2014 07:37 AM, Mladen Sekara wrote:
> Thanks Dominick.
> 
> Could you please elaborate a bit further on use of init_script_domain.
> 
> I had a look at hadoop policy module, but it seems haddop has multiple
> init scripts for different daemons (don't know much about hadoop and
> it's internals though). It has a reference to init_script_domain() in
> interface file, but with my SELinux experience, I couldn't make much
> sense of it.
> 
> In my case I have a single init script starting multiple daemons:
> 
> /etc/init.d/start_all (myapp_initrc_exec_t) -> /opt/myapp/start_all
> /opt/myapp/bin/daemon1 (domain1_exec_t)
> /opt/myapp/bin/daemon2 (domain_exec_t) 
> 
> So, just to clarify, in this case I would have:
> 
> init_script_domain(daemon1_t, daemon1_exec_t)... ???
> init_script_domain(daemon2_t, daemon2_exec_t)... ???
> 
> or
> init_daemon_domain(daemon1_t, daemon1_exec_t)
> init_daemon_domain(daemon2_t, daemon2_exec_t)

If your init script simply starts/stops your daemons, you probably don't need a new type for your init script (no need for init_script_domain()).  Since you want your two daemons to start up in separate domains, then you would use init_daemon_domain(), i.e. the second option above.  Then the private resources would be daemon1_*_t and daemon2_*_t and the shared resources would have their own type(s).

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] Single init script for multiple daemons

[Mladen Sekara]

Thanks for that.

I think this will give me enough to start.

Just for clarity, what is the difference between the
init_script_domain() and init_daemon_domain():

- init_script_domain() - transition to the init script domain via init
script as an entry point to that domain? 
- init_daemon_domain() - transition to the actual daemon domain via an
daemon entry point?

-- 
Mladen Sekara <dev@emefes.com>


On Tue, 2014-05-20 at 09:24 -0400, Christopher J. PeBenito wrote: 
> On 05/18/2014 07:37 AM, Mladen Sekara wrote:
> > Thanks Dominick.
> > 
> > Could you please elaborate a bit further on use of init_script_domain.
> > 
> > I had a look at hadoop policy module, but it seems haddop has multiple
> > init scripts for different daemons (don't know much about hadoop and
> > it's internals though). It has a reference to init_script_domain() in
> > interface file, but with my SELinux experience, I couldn't make much
> > sense of it.
> > 
> > In my case I have a single init script starting multiple daemons:
> > 
> > /etc/init.d/start_all (myapp_initrc_exec_t) -> /opt/myapp/start_all
> > /opt/myapp/bin/daemon1 (domain1_exec_t)
> > /opt/myapp/bin/daemon2 (domain_exec_t) 
> > 
> > So, just to clarify, in this case I would have:
> > 
> > init_script_domain(daemon1_t, daemon1_exec_t)... ???
> > init_script_domain(daemon2_t, daemon2_exec_t)... ???
> > 
> > or
> > init_daemon_domain(daemon1_t, daemon1_exec_t)
> > init_daemon_domain(daemon2_t, daemon2_exec_t)
> 
> If your init script simply starts/stops your daemons, you probably don't need a new type for your init script (no need for init_script_domain()).  Since you want your two daemons to start up in separate domains, then you would use init_daemon_domain(), i.e. the second option above.  Then the private resources would be daemon1_*_t and daemon2_*_t and the shared resources would have their own type(s).
> 

[refpolicy] Single init script for multiple daemons

[Christopher J. PeBenito]

On 5/21/2014 10:13 AM, Mladen Sekara wrote:
> Thanks for that.
> 
> I think this will give me enough to start.
> 
> Just for clarity, what is the difference between the
> init_script_domain() and init_daemon_domain():
> 
> - init_script_domain() - transition to the init script domain via init
> script as an entry point to that domain? 
> - init_daemon_domain() - transition to the actual daemon domain via an
> daemon entry point?

Yes.  Correct on both.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] Single init script for multiple daemons

[Mladen Sekara]

Thanks.
-- 
Mladen Sekara <dev@emefes.com>


On Wed, 2014-05-21 at 12:16 -0400, Christopher J. PeBenito wrote: 
> On 5/21/2014 10:13 AM, Mladen Sekara wrote:
> > Thanks for that.
> > 
> > I think this will give me enough to start.
> > 
> > Just for clarity, what is the difference between the
> > init_script_domain() and init_daemon_domain():
> > 
> > - init_script_domain() - transition to the init script domain via init
> > script as an entry point to that domain? 
> > - init_daemon_domain() - transition to the actual daemon domain via an
> > daemon entry point?
> 
> Yes.  Correct on both.
>