Apply fix from Bug 284561 - Security Enhancements for memcached

run as user memcached
add new selinux policies
This commit is contained in:
Paul Lindner 2007-12-22 13:16:56 +00:00
parent bcc3ec1dd9
commit 55b1212a76
5 changed files with 174 additions and 5 deletions

2
memcached.fc Normal file
View File

@ -0,0 +1,2 @@
/usr/bin/memcached(.*)? -- gen_context(system_u:object_r:memcached_exec_t,s0)
/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)

1
memcached.if Normal file
View File

@ -0,0 +1 @@
# This file is as of yet unused

View File

@ -1,6 +1,13 @@
%define selinux_variants mls strict targeted
%define selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
%define modulename memcached
%define username memcached
%define groupname memcached
Name: memcached
Version: 1.2.4
Release: 1%{?dist}
Release: 2%{?dist}
Summary: High Performance, Distributed Memory Object Cache
Group: System Environment/Daemons
@ -11,13 +18,20 @@ Source0: http://www.danga.com/memcached/dist/%{name}-%{version}.tar.gz
# custom init script
Source1: memcached.sysv
# SELinux files
Source10: %{modulename}.te
Source11: %{modulename}.fc
Source12: %{modulename}.if
# Fixes
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: libevent-devel
BuildRequires: perl(Test::More)
Requires: initscripts
Requires: initscripts
Requires(pre): shadow-utils
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig, /sbin/service
Requires(postun): /sbin/service
@ -27,8 +41,26 @@ memcached is a high-performance, distributed memory object caching
system, generic in nature, but intended for use in speeding up dynamic
web applications by alleviating database load.
%package selinux
Summary: SELinux policy module supporting memcached
Group: System Environment/Base
BuildRequires: checkpolicy, selinux-policy-devel, hardlink
%if "%{selinux_policyver}" != ""
Requires: selinux-policy >= %{selinux_policyver}
%endif
Requires: %{name} = %{version}-%{release}
Requires(post): policycoreutils
Requires(postun): policycoreutils
%description selinux
SELinux policy module supporting memcached.
%prep
%setup -q
mkdir SELinux
cp -p %{SOURCE10} %{SOURCE11} %{SOURCE12} SELinux/
%build
@ -36,6 +68,14 @@ web applications by alleviating database load.
make %{?_smp_mflags}
pushd SELinux
for selinuxvariant in %{selinux_variants}; do
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
mv %{modulename}.pp %{modulename}.pp.${selinuxvariant}
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
done
popd
%check
# remove failing test that doesn't work in
@ -59,7 +99,7 @@ install -Dp -m0755 %{SOURCE1} %{buildroot}%{_initrddir}/memcached
mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig
cat <<EOF >%{buildroot}/%{_sysconfdir}/sysconfig/%{name}
PORT="11211"
USER="nobody"
USER="%{username}"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS=""
@ -68,13 +108,35 @@ EOF
# pid directory
mkdir -p %{buildroot}/%{_localstatedir}/run/memcached
# Install SELinux policy modules
pushd SELinux
for selinuxvariant in %{selinux_variants}; do
install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
install -p -m 644 %{modulename}.pp.${selinuxvariant} \
%{buildroot}%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp
done
popd
# Hardlink identical policy module packages together
/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
%clean
rm -rf %{buildroot}
%pre
getent group %{groupname} >/dev/null || groupadd -r %{groupname}
getent passwd %{username} >/dev/null || \
useradd -r -g %{groupname} -d %{_localstatedir}/run/memcached \
-s /sbin/nologin -c "Memcached daemon" %{username}
exit 0
%post
/sbin/chkconfig --add %{name}
%preun
if [ "$1" = 0 ] ; then
/sbin/service %{name} stop > /dev/null 2>&1
@ -82,6 +144,7 @@ if [ "$1" = 0 ] ; then
fi
exit 0
%postun
if [ "$1" -ge 1 ]; then
/sbin/service %{name} condrestart > /dev/null 2>&1
@ -89,19 +152,56 @@ fi
exit 0
%post selinux
# Install SELinux policy modules
for selinuxvariant in %{selinux_variants}
do
/usr/sbin/semodule -s ${selinuxvariant} -i \
%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp &> /dev/null || :
done
/usr/sbin/semanage port -a -t memcached_port_t -p tcp 11211 &> /dev/null || :
/sbin/fixfiles -R %{name} restore || :
%postun selinux
# Clean up after package removal
if [ $1 -eq 0 ]; then
/usr/sbin/semanage port -d -t memcached_port_t -p tcp 11211 &> /dev/null || :
# Remove SELinux policy modules
for selinuxvariant in %{selinux_variants}
do
/usr/sbin/semodule -s ${selinuxvariant} -r %{modulename} &> /dev/null || :
done
/sbin/fixfiles -R %{name} restore || :
fi
%files
%defattr(-,root,root,-)
%doc AUTHORS ChangeLog COPYING NEWS README TODO doc/CONTRIBUTORS doc/*.txt
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%dir %attr(750,nobody,nobody) %{_localstatedir}/run/memcached
%dir %attr(755,%{username},%{groupname}) %{_localstatedir}/run/memcached
%{_bindir}/memcached-tool
%{_bindir}/memcached
%{_mandir}/man1/memcached.1*
%{_initrddir}/memcached
%files selinux
%defattr(-,root,root,0755)
%doc SELinux/*.te SELinux/*.fc SELinux/*.if
%{_datadir}/selinux/*/%{modulename}.pp
%changelog
* Sat Dec 22 2007 Paul Lindner <lindner@mirth.inuus.com> - 1.2.4-2
- Upgrade to memcached-1.2.4
* Fri Sep 07 2007 Konstantin Ryabitsev <icon@fedoraproject.org> - 1.2.3-8
- Add selinux policies
- Create our own system user
* Mon Aug 6 2007 Paul Lindner <lindner@inuus.com> - 1.2.3-7
- Fix problem with -P and -d flag combo on x86_64
- Fix init script for FC-6

View File

@ -4,6 +4,7 @@
# description: The memcached daemon is a network memory cache service.
# processname: memcached
# config: /etc/sysconfig/memcached
# pidfile: /var/run/memcached/memcached.pid
# Standard LSB functions
#. /lib/lsb/init-functions
@ -12,7 +13,7 @@
. /etc/init.d/functions
PORT=11211
USER=nobody
USER=memcached
MAXCONN=1024
CACHESIZE=64
OPTIONS=""
@ -22,6 +23,8 @@ if [ -f /etc/sysconfig/memcached ];then
fi
# Check that networking is up.
. /etc/sysconfig/network
if [ "$NETWORKING" = "no" ]
then
exit 0
@ -33,7 +36,9 @@ prog="memcached"
start () {
echo -n $"Starting $prog: "
# insure that /var/run/memcached has proper permissions
if [ "`stat -c %U /var/run/memcached`" != "$USER" ]; then
chown $USER /var/run/memcached
fi
daemon --pidfile /var/run/memcached/memcached.pid memcached -d -p $PORT -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/memcached/memcached.pid $OPTIONS
RETVAL=$?

61
memcached.te Normal file
View File

@ -0,0 +1,61 @@
policy_module(memcached, 1.0.1)
require {
attribute port_type;
};
#####################################
#
# Declarations
#
type memcached_t;
type memcached_exec_t;
type memcached_var_run_t;
type memcached_port_t, port_type;
########################################
#
# Local policy
#
init_daemon_domain(memcached_t, memcached_exec_t)
domain_use_interactive_fds(memcached_t)
init_use_fds(memcached_t)
files_pid_file(memcached_var_run_t)
allow memcached_t self:capability { setgid setuid };
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process signal_perms;
allow memcached_t self:fifo_file rw_file_perms;
allow memcached_t self:unix_stream_socket create_stream_socket_perms;
allow memcached_t memcached_port_t:tcp_socket name_bind;
allow memcached_t memcached_port_t:udp_socket name_bind;
allow memcached_t self:tcp_socket create_stream_socket_perms;
allow memcached_t self:udp_socket create_stream_socket_perms;
corenet_non_ipsec_sendrecv(memcached_t)
corenet_tcp_sendrecv_all_if(memcached_t)
corenet_udp_sendrecv_all_if(memcached_t)
corenet_tcp_sendrecv_all_nodes(memcached_t)
corenet_udp_sendrecv_all_nodes(memcached_t)
corenet_tcp_bind_all_nodes(memcached_t)
corenet_udp_bind_all_nodes(memcached_t)
allow memcached_t memcached_var_run_t:file create_file_perms;
allow memcached_t memcached_var_run_t:dir rw_dir_perms;
files_pid_filetrans(memcached_t, memcached_var_run_t, file)
kernel_read_kernel_sysctls(memcached_t)
kernel_read_system_state(memcached_t)
libs_use_ld_so(memcached_t)
libs_use_shared_libs(memcached_t)
files_read_etc_files(memcached_t)
term_dontaudit_use_all_user_ptys(memcached_t)
term_dontaudit_use_all_user_ttys(memcached_t)
term_dontaudit_use_console(memcached_t)