diff options
Diffstat (limited to '')
-rw-r--r-- | admin/selinux/README | 18 | ||||
-rw-r--r-- | admin/selinux/haproxy.fc | 6 | ||||
-rw-r--r-- | admin/selinux/haproxy.if | 2 | ||||
-rw-r--r-- | admin/selinux/haproxy.te | 66 |
4 files changed, 92 insertions, 0 deletions
diff --git a/admin/selinux/README b/admin/selinux/README new file mode 100644 index 0000000..7ad924d --- /dev/null +++ b/admin/selinux/README @@ -0,0 +1,18 @@ +This directory includes an selinux policy for haproxy. It assumes +the following file locations: + + /usr/sbin/haproxy -- binary + /etc/haproxy/haproxy\.cfg -- configuration + /var/run/haproxy\.pid -- pid-file + /var/run/haproxy\.sock(.*) -- stats socket + /var/empty/haproxy -- chroot dir + +To build and load it on RHEL5 you'll need the "selinux-policy-devel" package, +and from within this directory run: + + make -f /usr/share/selinux/devel/Makefile + sudo semodule -i haproxy.pp + restorecon /usr/sbin/haproxy /etc/haproxy/haproxy.cfg /var/run/haproxy.pid /var/run/haproxy.sock* + + +Feedback to Jan-Frode Myklebust <janfrode@tanso.no> is much appreciated, diff --git a/admin/selinux/haproxy.fc b/admin/selinux/haproxy.fc new file mode 100644 index 0000000..63a0828 --- /dev/null +++ b/admin/selinux/haproxy.fc @@ -0,0 +1,6 @@ +# haproxy labeling policy +# file: haproxy.fc +/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t, s0) +/etc/haproxy/haproxy\.cfg -- gen_context(system_u:object_r:haproxy_conf_t, s0) +/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t, s0) +/var/run/haproxy\.sock(.*) -- gen_context(system_u:object_r:haproxy_var_run_t, s0) diff --git a/admin/selinux/haproxy.if b/admin/selinux/haproxy.if new file mode 100644 index 0000000..236ad38 --- /dev/null +++ b/admin/selinux/haproxy.if @@ -0,0 +1,2 @@ +## <summary>selinux policy module for haproxy</summary> + diff --git a/admin/selinux/haproxy.te b/admin/selinux/haproxy.te new file mode 100644 index 0000000..bc124fb --- /dev/null +++ b/admin/selinux/haproxy.te @@ -0,0 +1,66 @@ +policy_module(haproxy,1.0.0) + +######################################## +# +# Declarations +# + +type haproxy_t; +type haproxy_exec_t; +type haproxy_port_t; +init_daemon_domain(haproxy_t, haproxy_exec_t) + +type haproxy_var_run_t; +files_pid_file(haproxy_var_run_t) + +type haproxy_conf_t; +files_config_file(haproxy_conf_t) + +######################################## +# +# Local policy +# + +# Configuration files - read +allow haproxy_t haproxy_conf_t : dir list_dir_perms; +allow haproxy_t haproxy_conf_t : file read_file_perms; +allow haproxy_t haproxy_conf_t : lnk_file read_file_perms; + +# PID and socket file - create, read, and write +files_pid_filetrans(haproxy_t, haproxy_var_run_t, { file sock_file }) +allow haproxy_t haproxy_var_run_t:file manage_file_perms; +allow haproxy_t haproxy_var_run_t:sock_file { create rename link setattr unlink }; + +allow haproxy_t self : tcp_socket create_stream_socket_perms; +allow haproxy_t self: udp_socket create_socket_perms; +allow haproxy_t self: capability { setgid setuid sys_chroot sys_resource kill }; +allow haproxy_t self: process { setrlimit signal }; + + +logging_send_syslog_msg(haproxy_t) + +corenet_tcp_bind_all_ports(haproxy_t) +corenet_tcp_connect_all_ports(haproxy_t) +corenet_tcp_bind_all_nodes(haproxy_t) +corenet_tcp_sendrecv_all_ports(haproxy_t) +corenet_tcp_recvfrom_unlabeled(haproxy_t) + +# use shared libraries +libs_use_ld_so(haproxy_t) +libs_use_shared_libs(haproxy_t) + +# Read /etc/localtime: +miscfiles_read_localization(haproxy_t) +# Read /etc/passwd and more. +files_read_etc_files(haproxy_t) + +# RHEL5 specific: +require { + type unlabeled_t; + type haproxy_t; + class packet send; + class packet recv; +} + +allow haproxy_t unlabeled_t:packet { send recv }; + |