Apply fix from Bug 284561 - Security Enhancements for memcached
run as user memcached add new selinux policies
This commit is contained in:
parent
bcc3ec1dd9
commit
55b1212a76
2
memcached.fc
Normal file
2
memcached.fc
Normal file
@ -0,0 +1,2 @@
|
||||
/usr/bin/memcached(.*)? -- gen_context(system_u:object_r:memcached_exec_t,s0)
|
||||
/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
|
1
memcached.if
Normal file
1
memcached.if
Normal file
@ -0,0 +1 @@
|
||||
# This file is as of yet unused
|
108
memcached.spec
108
memcached.spec
@ -1,6 +1,13 @@
|
||||
%define selinux_variants mls strict targeted
|
||||
%define selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
|
||||
%define modulename memcached
|
||||
|
||||
%define username memcached
|
||||
%define groupname memcached
|
||||
|
||||
Name: memcached
|
||||
Version: 1.2.4
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: High Performance, Distributed Memory Object Cache
|
||||
|
||||
Group: System Environment/Daemons
|
||||
@ -11,13 +18,20 @@ Source0: http://www.danga.com/memcached/dist/%{name}-%{version}.tar.gz
|
||||
# custom init script
|
||||
Source1: memcached.sysv
|
||||
|
||||
# SELinux files
|
||||
Source10: %{modulename}.te
|
||||
Source11: %{modulename}.fc
|
||||
Source12: %{modulename}.if
|
||||
|
||||
# Fixes
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
||||
BuildRequires: libevent-devel
|
||||
BuildRequires: perl(Test::More)
|
||||
Requires: initscripts
|
||||
|
||||
Requires: initscripts
|
||||
Requires(pre): shadow-utils
|
||||
Requires(post): /sbin/chkconfig
|
||||
Requires(preun): /sbin/chkconfig, /sbin/service
|
||||
Requires(postun): /sbin/service
|
||||
@ -27,8 +41,26 @@ memcached is a high-performance, distributed memory object caching
|
||||
system, generic in nature, but intended for use in speeding up dynamic
|
||||
web applications by alleviating database load.
|
||||
|
||||
|
||||
%package selinux
|
||||
Summary: SELinux policy module supporting memcached
|
||||
Group: System Environment/Base
|
||||
BuildRequires: checkpolicy, selinux-policy-devel, hardlink
|
||||
%if "%{selinux_policyver}" != ""
|
||||
Requires: selinux-policy >= %{selinux_policyver}
|
||||
%endif
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires(post): policycoreutils
|
||||
Requires(postun): policycoreutils
|
||||
|
||||
%description selinux
|
||||
SELinux policy module supporting memcached.
|
||||
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
mkdir SELinux
|
||||
cp -p %{SOURCE10} %{SOURCE11} %{SOURCE12} SELinux/
|
||||
|
||||
|
||||
%build
|
||||
@ -36,6 +68,14 @@ web applications by alleviating database load.
|
||||
|
||||
make %{?_smp_mflags}
|
||||
|
||||
pushd SELinux
|
||||
for selinuxvariant in %{selinux_variants}; do
|
||||
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
|
||||
mv %{modulename}.pp %{modulename}.pp.${selinuxvariant}
|
||||
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
|
||||
done
|
||||
popd
|
||||
|
||||
|
||||
%check
|
||||
# remove failing test that doesn't work in
|
||||
@ -59,7 +99,7 @@ install -Dp -m0755 %{SOURCE1} %{buildroot}%{_initrddir}/memcached
|
||||
mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig
|
||||
cat <<EOF >%{buildroot}/%{_sysconfdir}/sysconfig/%{name}
|
||||
PORT="11211"
|
||||
USER="nobody"
|
||||
USER="%{username}"
|
||||
MAXCONN="1024"
|
||||
CACHESIZE="64"
|
||||
OPTIONS=""
|
||||
@ -68,13 +108,35 @@ EOF
|
||||
# pid directory
|
||||
mkdir -p %{buildroot}/%{_localstatedir}/run/memcached
|
||||
|
||||
# Install SELinux policy modules
|
||||
pushd SELinux
|
||||
for selinuxvariant in %{selinux_variants}; do
|
||||
install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
|
||||
install -p -m 644 %{modulename}.pp.${selinuxvariant} \
|
||||
%{buildroot}%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp
|
||||
done
|
||||
popd
|
||||
|
||||
# Hardlink identical policy module packages together
|
||||
/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
|
||||
|
||||
|
||||
%clean
|
||||
rm -rf %{buildroot}
|
||||
|
||||
|
||||
%pre
|
||||
getent group %{groupname} >/dev/null || groupadd -r %{groupname}
|
||||
getent passwd %{username} >/dev/null || \
|
||||
useradd -r -g %{groupname} -d %{_localstatedir}/run/memcached \
|
||||
-s /sbin/nologin -c "Memcached daemon" %{username}
|
||||
exit 0
|
||||
|
||||
|
||||
%post
|
||||
/sbin/chkconfig --add %{name}
|
||||
|
||||
|
||||
%preun
|
||||
if [ "$1" = 0 ] ; then
|
||||
/sbin/service %{name} stop > /dev/null 2>&1
|
||||
@ -82,6 +144,7 @@ if [ "$1" = 0 ] ; then
|
||||
fi
|
||||
exit 0
|
||||
|
||||
|
||||
%postun
|
||||
if [ "$1" -ge 1 ]; then
|
||||
/sbin/service %{name} condrestart > /dev/null 2>&1
|
||||
@ -89,19 +152,56 @@ fi
|
||||
exit 0
|
||||
|
||||
|
||||
%post selinux
|
||||
# Install SELinux policy modules
|
||||
for selinuxvariant in %{selinux_variants}
|
||||
do
|
||||
/usr/sbin/semodule -s ${selinuxvariant} -i \
|
||||
%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp &> /dev/null || :
|
||||
done
|
||||
/usr/sbin/semanage port -a -t memcached_port_t -p tcp 11211 &> /dev/null || :
|
||||
/sbin/fixfiles -R %{name} restore || :
|
||||
|
||||
|
||||
%postun selinux
|
||||
# Clean up after package removal
|
||||
if [ $1 -eq 0 ]; then
|
||||
/usr/sbin/semanage port -d -t memcached_port_t -p tcp 11211 &> /dev/null || :
|
||||
# Remove SELinux policy modules
|
||||
for selinuxvariant in %{selinux_variants}
|
||||
do
|
||||
/usr/sbin/semodule -s ${selinuxvariant} -r %{modulename} &> /dev/null || :
|
||||
done
|
||||
/sbin/fixfiles -R %{name} restore || :
|
||||
fi
|
||||
|
||||
|
||||
%files
|
||||
%defattr(-,root,root,-)
|
||||
%doc AUTHORS ChangeLog COPYING NEWS README TODO doc/CONTRIBUTORS doc/*.txt
|
||||
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
|
||||
|
||||
%dir %attr(750,nobody,nobody) %{_localstatedir}/run/memcached
|
||||
%dir %attr(755,%{username},%{groupname}) %{_localstatedir}/run/memcached
|
||||
%{_bindir}/memcached-tool
|
||||
%{_bindir}/memcached
|
||||
%{_mandir}/man1/memcached.1*
|
||||
%{_initrddir}/memcached
|
||||
|
||||
|
||||
%files selinux
|
||||
%defattr(-,root,root,0755)
|
||||
%doc SELinux/*.te SELinux/*.fc SELinux/*.if
|
||||
%{_datadir}/selinux/*/%{modulename}.pp
|
||||
|
||||
|
||||
%changelog
|
||||
* Sat Dec 22 2007 Paul Lindner <lindner@mirth.inuus.com> - 1.2.4-2
|
||||
- Upgrade to memcached-1.2.4
|
||||
|
||||
* Fri Sep 07 2007 Konstantin Ryabitsev <icon@fedoraproject.org> - 1.2.3-8
|
||||
- Add selinux policies
|
||||
- Create our own system user
|
||||
|
||||
* Mon Aug 6 2007 Paul Lindner <lindner@inuus.com> - 1.2.3-7
|
||||
- Fix problem with -P and -d flag combo on x86_64
|
||||
- Fix init script for FC-6
|
||||
|
@ -4,6 +4,7 @@
|
||||
# description: The memcached daemon is a network memory cache service.
|
||||
# processname: memcached
|
||||
# config: /etc/sysconfig/memcached
|
||||
# pidfile: /var/run/memcached/memcached.pid
|
||||
|
||||
# Standard LSB functions
|
||||
#. /lib/lsb/init-functions
|
||||
@ -12,7 +13,7 @@
|
||||
. /etc/init.d/functions
|
||||
|
||||
PORT=11211
|
||||
USER=nobody
|
||||
USER=memcached
|
||||
MAXCONN=1024
|
||||
CACHESIZE=64
|
||||
OPTIONS=""
|
||||
@ -22,6 +23,8 @@ if [ -f /etc/sysconfig/memcached ];then
|
||||
fi
|
||||
|
||||
# Check that networking is up.
|
||||
. /etc/sysconfig/network
|
||||
|
||||
if [ "$NETWORKING" = "no" ]
|
||||
then
|
||||
exit 0
|
||||
@ -33,7 +36,9 @@ prog="memcached"
|
||||
start () {
|
||||
echo -n $"Starting $prog: "
|
||||
# insure that /var/run/memcached has proper permissions
|
||||
if [ "`stat -c %U /var/run/memcached`" != "$USER" ]; then
|
||||
chown $USER /var/run/memcached
|
||||
fi
|
||||
|
||||
daemon --pidfile /var/run/memcached/memcached.pid memcached -d -p $PORT -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/memcached/memcached.pid $OPTIONS
|
||||
RETVAL=$?
|
||||
|
61
memcached.te
Normal file
61
memcached.te
Normal file
@ -0,0 +1,61 @@
|
||||
policy_module(memcached, 1.0.1)
|
||||
|
||||
require {
|
||||
attribute port_type;
|
||||
};
|
||||
|
||||
#####################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
type memcached_t;
|
||||
type memcached_exec_t;
|
||||
|
||||
type memcached_var_run_t;
|
||||
type memcached_port_t, port_type;
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
init_daemon_domain(memcached_t, memcached_exec_t)
|
||||
domain_use_interactive_fds(memcached_t)
|
||||
init_use_fds(memcached_t)
|
||||
|
||||
files_pid_file(memcached_var_run_t)
|
||||
|
||||
allow memcached_t self:capability { setgid setuid };
|
||||
dontaudit memcached_t self:capability sys_tty_config;
|
||||
allow memcached_t self:process signal_perms;
|
||||
allow memcached_t self:fifo_file rw_file_perms;
|
||||
allow memcached_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow memcached_t memcached_port_t:tcp_socket name_bind;
|
||||
allow memcached_t memcached_port_t:udp_socket name_bind;
|
||||
allow memcached_t self:tcp_socket create_stream_socket_perms;
|
||||
allow memcached_t self:udp_socket create_stream_socket_perms;
|
||||
|
||||
corenet_non_ipsec_sendrecv(memcached_t)
|
||||
corenet_tcp_sendrecv_all_if(memcached_t)
|
||||
corenet_udp_sendrecv_all_if(memcached_t)
|
||||
corenet_tcp_sendrecv_all_nodes(memcached_t)
|
||||
corenet_udp_sendrecv_all_nodes(memcached_t)
|
||||
corenet_tcp_bind_all_nodes(memcached_t)
|
||||
corenet_udp_bind_all_nodes(memcached_t)
|
||||
|
||||
allow memcached_t memcached_var_run_t:file create_file_perms;
|
||||
allow memcached_t memcached_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(memcached_t, memcached_var_run_t, file)
|
||||
|
||||
kernel_read_kernel_sysctls(memcached_t)
|
||||
kernel_read_system_state(memcached_t)
|
||||
|
||||
libs_use_ld_so(memcached_t)
|
||||
libs_use_shared_libs(memcached_t)
|
||||
|
||||
files_read_etc_files(memcached_t)
|
||||
|
||||
term_dontaudit_use_all_user_ptys(memcached_t)
|
||||
term_dontaudit_use_all_user_ttys(memcached_t)
|
||||
term_dontaudit_use_console(memcached_t)
|
Loading…
Reference in New Issue
Block a user