Apply fix from Bug 284561 - Security Enhancements for memcached

run as user memcached add new selinux policies
2007-12-22 13:16:56 +00:00 · 2007-12-22 13:16:56 +00:00 · 55b1212a76
commit 55b1212a76
parent bcc3ec1dd9
5 changed files with 174 additions and 5 deletions
--- a/memcached.fc
+++ b/memcached.fc
@ -0,0 +1,2 @@
+/usr/bin/memcached(.*)?      	--  gen_context(system_u:object_r:memcached_exec_t,s0)
+/var/run/memcached(/.*)?	gen_context(system_u:object_r:memcached_var_run_t,s0)
--- a/memcached.if
+++ b/memcached.if
@ -0,0 +1 @@
+# This file is as of yet unused
--- a/memcached.spec
+++ b/memcached.spec
@ -1,6 +1,13 @@
+%define selinux_variants mls strict targeted 
+%define selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
+%define modulename memcached
+
+%define username   memcached
+%define groupname  memcached
+
 Name:           memcached
 Version:        1.2.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        High Performance, Distributed Memory Object Cache

 Group:          System Environment/Daemons
@ -11,13 +18,20 @@ Source0:        http://www.danga.com/memcached/dist/%{name}-%{version}.tar.gz
 # custom init script
 Source1:        memcached.sysv

+# SELinux files
+Source10:       %{modulename}.te
+Source11:       %{modulename}.fc
+Source12:       %{modulename}.if
+
 # Fixes

 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 BuildRequires:  libevent-devel
 BuildRequires:  perl(Test::More)
-Requires: initscripts
+
+Requires:       initscripts
+Requires(pre):  shadow-utils
 Requires(post): /sbin/chkconfig
 Requires(preun): /sbin/chkconfig, /sbin/service
 Requires(postun): /sbin/service
@ -27,8 +41,26 @@ memcached is a high-performance, distributed memory object caching
 system, generic in nature, but intended for use in speeding up dynamic
 web applications by alleviating database load.

+
+%package selinux
+Summary:        SELinux policy module supporting memcached
+Group:          System Environment/Base
+BuildRequires:  checkpolicy, selinux-policy-devel, hardlink
+%if "%{selinux_policyver}" != ""
+Requires:       selinux-policy >= %{selinux_policyver}
+%endif
+Requires:       %{name} = %{version}-%{release}
+Requires(post):  policycoreutils
+Requires(postun): policycoreutils
+
+%description selinux
+SELinux policy module supporting memcached.
+
+
 %prep
 %setup -q
+mkdir SELinux
+cp -p %{SOURCE10} %{SOURCE11} %{SOURCE12} SELinux/


 %build
@ -36,6 +68,14 @@ web applications by alleviating database load.

 make %{?_smp_mflags}

+pushd SELinux
+for selinuxvariant in %{selinux_variants}; do
+    make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+    mv %{modulename}.pp %{modulename}.pp.${selinuxvariant}
+    make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+done
+popd
+

 %check
 # remove failing test that doesn't work in
@ -59,7 +99,7 @@ install -Dp -m0755 %{SOURCE1} %{buildroot}%{_initrddir}/memcached
 mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig
 cat <<EOF >%{buildroot}/%{_sysconfdir}/sysconfig/%{name}
 PORT="11211"
-USER="nobody"
+USER="%{username}"
 MAXCONN="1024"
 CACHESIZE="64"
 OPTIONS=""
@ -68,13 +108,35 @@ EOF
 # pid directory
 mkdir -p %{buildroot}/%{_localstatedir}/run/memcached

+# Install SELinux policy modules
+pushd SELinux
+for selinuxvariant in %{selinux_variants}; do
+    install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+    install -p -m 644 %{modulename}.pp.${selinuxvariant} \
+        %{buildroot}%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp
+done
+popd
+
+# Hardlink identical policy module packages together
+/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
+
+
 %clean
 rm -rf %{buildroot}


+%pre
+getent group %{groupname} >/dev/null || groupadd -r %{groupname}
+getent passwd %{username} >/dev/null || \
+useradd -r -g %{groupname} -d %{_localstatedir}/run/memcached \
+    -s /sbin/nologin -c "Memcached daemon" %{username}
+exit 0
+
+
 %post
 /sbin/chkconfig --add %{name}

+
 %preun
 if [ "$1" = 0 ] ; then
    /sbin/service %{name} stop > /dev/null 2>&1
@ -82,6 +144,7 @@ if [ "$1" = 0 ] ; then
 fi
 exit 0

+
 %postun
 if [ "$1" -ge 1 ]; then
    /sbin/service %{name} condrestart > /dev/null 2>&1
@ -89,19 +152,56 @@ fi
 exit 0


+%post selinux
+# Install SELinux policy modules
+for selinuxvariant in %{selinux_variants}
+do
+  /usr/sbin/semodule -s ${selinuxvariant} -i \
+    %{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp &> /dev/null || :
+done
+/usr/sbin/semanage port -a -t memcached_port_t -p tcp 11211 &> /dev/null || :
+/sbin/fixfiles -R %{name} restore || :
+
+
+%postun selinux
+# Clean up after package removal
+if [ $1 -eq 0 ]; then
+  /usr/sbin/semanage port -d -t memcached_port_t -p tcp 11211 &> /dev/null || :
+  # Remove SELinux policy modules
+  for selinuxvariant in %{selinux_variants}
+  do
+    /usr/sbin/semodule -s ${selinuxvariant} -r %{modulename} &> /dev/null || :
+  done
+  /sbin/fixfiles -R %{name} restore || :
+fi
+
+
 %files
 %defattr(-,root,root,-)
 %doc AUTHORS ChangeLog COPYING NEWS README TODO doc/CONTRIBUTORS doc/*.txt
 %config(noreplace) %{_sysconfdir}/sysconfig/%{name}

-%dir %attr(750,nobody,nobody) %{_localstatedir}/run/memcached
+%dir %attr(755,%{username},%{groupname}) %{_localstatedir}/run/memcached
 %{_bindir}/memcached-tool
 %{_bindir}/memcached
 %{_mandir}/man1/memcached.1*
 %{_initrddir}/memcached


+%files selinux
+%defattr(-,root,root,0755)
+%doc SELinux/*.te SELinux/*.fc SELinux/*.if
+%{_datadir}/selinux/*/%{modulename}.pp
+
+
 %changelog
+* Sat Dec 22 2007 Paul Lindner <lindner@mirth.inuus.com> - 1.2.4-2
+- Upgrade to memcached-1.2.4
+
+* Fri Sep 07 2007 Konstantin Ryabitsev <icon@fedoraproject.org> - 1.2.3-8
+- Add selinux policies
+- Create our own system user
+
 * Mon Aug  6 2007 Paul Lindner <lindner@inuus.com> - 1.2.3-7
 - Fix problem with -P and -d flag combo on x86_64
 - Fix init script for FC-6
--- a/memcached.sysv
+++ b/memcached.sysv
@ -4,6 +4,7 @@
 # description:	The memcached daemon is a network memory cache service.
 # processname: memcached
 # config: /etc/sysconfig/memcached
+# pidfile: /var/run/memcached/memcached.pid

 # Standard LSB functions
 #. /lib/lsb/init-functions
@ -12,7 +13,7 @@
 . /etc/init.d/functions

 PORT=11211
-USER=nobody
+USER=memcached
 MAXCONN=1024
 CACHESIZE=64
 OPTIONS=""
@ -22,6 +23,8 @@ if [ -f /etc/sysconfig/memcached ];then
 fi

 # Check that networking is up.
+. /etc/sysconfig/network
+
 if [ "$NETWORKING" = "no" ]
 then
 	exit 0
@ -33,7 +36,9 @@ prog="memcached"
 start () {
 	echo -n $"Starting $prog: "
 	# insure that /var/run/memcached has proper permissions
+    if [ "`stat -c %U /var/run/memcached`" != "$USER" ]; then
        chown $USER /var/run/memcached
+    fi

 	daemon --pidfile /var/run/memcached/memcached.pid memcached -d -p $PORT -u $USER  -m $CACHESIZE -c $MAXCONN -P /var/run/memcached/memcached.pid $OPTIONS
 	RETVAL=$?
--- a/memcached.te
+++ b/memcached.te
@ -0,0 +1,61 @@
+policy_module(memcached, 1.0.1)
+
+require {
+    attribute port_type;
+};
+
+#####################################
+#
+# Declarations
+#
+type memcached_t;
+type memcached_exec_t;
+
+type memcached_var_run_t;
+type memcached_port_t, port_type;
+
+
+########################################
+#
+# Local policy
+#
+init_daemon_domain(memcached_t, memcached_exec_t)
+domain_use_interactive_fds(memcached_t)
+init_use_fds(memcached_t)
+
+files_pid_file(memcached_var_run_t)
+
+allow memcached_t self:capability { setgid setuid };
+dontaudit memcached_t self:capability sys_tty_config;
+allow memcached_t self:process signal_perms;
+allow memcached_t self:fifo_file rw_file_perms;
+allow memcached_t self:unix_stream_socket create_stream_socket_perms;
+
+allow memcached_t memcached_port_t:tcp_socket name_bind;
+allow memcached_t memcached_port_t:udp_socket name_bind;
+allow memcached_t self:tcp_socket create_stream_socket_perms;
+allow memcached_t self:udp_socket create_stream_socket_perms;
+
+corenet_non_ipsec_sendrecv(memcached_t)
+corenet_tcp_sendrecv_all_if(memcached_t)
+corenet_udp_sendrecv_all_if(memcached_t)
+corenet_tcp_sendrecv_all_nodes(memcached_t)
+corenet_udp_sendrecv_all_nodes(memcached_t)
+corenet_tcp_bind_all_nodes(memcached_t)
+corenet_udp_bind_all_nodes(memcached_t)
+
+allow memcached_t memcached_var_run_t:file create_file_perms;
+allow memcached_t memcached_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(memcached_t, memcached_var_run_t, file)
+
+kernel_read_kernel_sysctls(memcached_t)
+kernel_read_system_state(memcached_t)
+
+libs_use_ld_so(memcached_t)
+libs_use_shared_libs(memcached_t)
+
+files_read_etc_files(memcached_t)
+
+term_dontaudit_use_all_user_ptys(memcached_t)
+term_dontaudit_use_all_user_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)