rpms/memcached
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Apply fix from Bug 284561 - Security Enhancements for memcached

Browse Source 
run as user memcached
add new selinux policies
This commit is contained in:
Paul Lindner 2007-12-22 13:16:56 +00:00
parent bcc3ec1dd9
commit 55b1212a76
5 changed files with 174 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
memcached.fc Normal file
View File

@ -0,0 +1,2 @@
/usr/bin/memcached(.*)? -- gen_context(system_u:object_r:memcached_exec_t,s0)
/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)

1
memcached.if Normal file
View File

@ -0,0 +1 @@
# This file is as of yet unused

106
memcached.spec
View File

@ -1,6 +1,13 @@
%define selinux_variants mls strict targeted
%define selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
%define modulename memcached
%define username memcached
%define groupname memcached
Name: memcached Name: memcached
Version: 1.2.4 Version: 1.2.4
Release: 1%{?dist} Release: 2%{?dist}
Summary: High Performance, Distributed Memory Object Cache Summary: High Performance, Distributed Memory Object Cache
Group: System Environment/Daemons Group: System Environment/Daemons
@ -11,13 +18,20 @@ Source0: http://www.danga.com/memcached/dist/%{name}-%{version}.tar.gz
# custom init script # custom init script
Source1: memcached.sysv Source1: memcached.sysv
# SELinux files
Source10: %{modulename}.te
Source11: %{modulename}.fc
Source12: %{modulename}.if
# Fixes # Fixes
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: libevent-devel BuildRequires: libevent-devel
BuildRequires: perl(Test::More) BuildRequires: perl(Test::More)
Requires: initscripts Requires: initscripts
Requires(pre): shadow-utils
Requires(post): /sbin/chkconfig Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig, /sbin/service Requires(preun): /sbin/chkconfig, /sbin/service
Requires(postun): /sbin/service Requires(postun): /sbin/service
@ -27,8 +41,26 @@ memcached is a high-performance, distributed memory object caching
system, generic in nature, but intended for use in speeding up dynamic system, generic in nature, but intended for use in speeding up dynamic
web applications by alleviating database load. web applications by alleviating database load.
%package selinux
Summary: SELinux policy module supporting memcached
Group: System Environment/Base
BuildRequires: checkpolicy, selinux-policy-devel, hardlink
%if "%{selinux_policyver}" != ""
Requires: selinux-policy >= %{selinux_policyver}
%endif
Requires: %{name} = %{version}-%{release}
Requires(post): policycoreutils
Requires(postun): policycoreutils
%description selinux
SELinux policy module supporting memcached.
%prep %prep
%setup -q %setup -q
mkdir SELinux
cp -p %{SOURCE10} %{SOURCE11} %{SOURCE12} SELinux/
%build %build
@ -36,6 +68,14 @@ web applications by alleviating database load.
make %{?_smp_mflags} make %{?_smp_mflags}
pushd SELinux
for selinuxvariant in %{selinux_variants}; do
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
mv %{modulename}.pp %{modulename}.pp.${selinuxvariant}
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
done
popd
%check %check
# remove failing test that doesn't work in # remove failing test that doesn't work in
@ -59,7 +99,7 @@ install -Dp -m0755 %{SOURCE1} %{buildroot}%{_initrddir}/memcached
mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig
cat <<EOF >%{buildroot}/%{_sysconfdir}/sysconfig/%{name} cat <<EOF >%{buildroot}/%{_sysconfdir}/sysconfig/%{name}
PORT="11211" PORT="11211"
USER="nobody" USER="%{username}"
MAXCONN="1024" MAXCONN="1024"
CACHESIZE="64" CACHESIZE="64"
OPTIONS="" OPTIONS=""
@ -68,13 +108,35 @@ EOF
# pid directory # pid directory
mkdir -p %{buildroot}/%{_localstatedir}/run/memcached mkdir -p %{buildroot}/%{_localstatedir}/run/memcached
# Install SELinux policy modules
pushd SELinux
for selinuxvariant in %{selinux_variants}; do
install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
install -p -m 644 %{modulename}.pp.${selinuxvariant} \
%{buildroot}%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp
done
popd
# Hardlink identical policy module packages together
/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
%clean %clean
rm -rf %{buildroot} rm -rf %{buildroot}
%pre
getent group %{groupname} >/dev/null || groupadd -r %{groupname}
getent passwd %{username} >/dev/null || \
useradd -r -g %{groupname} -d %{_localstatedir}/run/memcached \
-s /sbin/nologin -c "Memcached daemon" %{username}
exit 0
%post %post
/sbin/chkconfig --add %{name} /sbin/chkconfig --add %{name}
%preun %preun
if [ "$1" = 0 ] ; then if [ "$1" = 0 ] ; then
/sbin/service %{name} stop > /dev/null 2>&1 /sbin/service %{name} stop > /dev/null 2>&1
@ -82,6 +144,7 @@ if [ "$1" = 0 ] ; then
fi fi
exit 0 exit 0
%postun %postun
if [ "$1" -ge 1 ]; then if [ "$1" -ge 1 ]; then
/sbin/service %{name} condrestart > /dev/null 2>&1 /sbin/service %{name} condrestart > /dev/null 2>&1
@ -89,19 +152,56 @@ fi
exit 0 exit 0
%post selinux
# Install SELinux policy modules
for selinuxvariant in %{selinux_variants}
do
/usr/sbin/semodule -s ${selinuxvariant} -i \
%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp &> /dev/null || :
done
/usr/sbin/semanage port -a -t memcached_port_t -p tcp 11211 &> /dev/null || :
/sbin/fixfiles -R %{name} restore || :
%postun selinux
# Clean up after package removal
if [ $1 -eq 0 ]; then
/usr/sbin/semanage port -d -t memcached_port_t -p tcp 11211 &> /dev/null || :
# Remove SELinux policy modules
for selinuxvariant in %{selinux_variants}
do
/usr/sbin/semodule -s ${selinuxvariant} -r %{modulename} &> /dev/null || :
done
/sbin/fixfiles -R %{name} restore || :
fi
%files %files
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc AUTHORS ChangeLog COPYING NEWS README TODO doc/CONTRIBUTORS doc/*.txt %doc AUTHORS ChangeLog COPYING NEWS README TODO doc/CONTRIBUTORS doc/*.txt
%config(noreplace) %{_sysconfdir}/sysconfig/%{name} %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%dir %attr(750,nobody,nobody) %{_localstatedir}/run/memcached %dir %attr(755,%{username},%{groupname}) %{_localstatedir}/run/memcached
%{_bindir}/memcached-tool %{_bindir}/memcached-tool
%{_bindir}/memcached %{_bindir}/memcached
%{_mandir}/man1/memcached.1* %{_mandir}/man1/memcached.1*
%{_initrddir}/memcached %{_initrddir}/memcached
%files selinux
%defattr(-,root,root,0755)
%doc SELinux/*.te SELinux/*.fc SELinux/*.if
%{_datadir}/selinux/*/%{modulename}.pp
%changelog %changelog
* Sat Dec 22 2007 Paul Lindner <lindner@mirth.inuus.com> - 1.2.4-2
- Upgrade to memcached-1.2.4
* Fri Sep 07 2007 Konstantin Ryabitsev <icon@fedoraproject.org> - 1.2.3-8
- Add selinux policies
- Create our own system user
* Mon Aug 6 2007 Paul Lindner <lindner@inuus.com> - 1.2.3-7 * Mon Aug 6 2007 Paul Lindner <lindner@inuus.com> - 1.2.3-7
- Fix problem with -P and -d flag combo on x86_64 - Fix problem with -P and -d flag combo on x86_64
- Fix init script for FC-6 - Fix init script for FC-6

7
memcached.sysv
View File

@ -4,6 +4,7 @@
# description: The memcached daemon is a network memory cache service. # description: The memcached daemon is a network memory cache service.
# processname: memcached # processname: memcached
# config: /etc/sysconfig/memcached # config: /etc/sysconfig/memcached
# pidfile: /var/run/memcached/memcached.pid
# Standard LSB functions # Standard LSB functions
#. /lib/lsb/init-functions #. /lib/lsb/init-functions
@ -12,7 +13,7 @@
. /etc/init.d/functions . /etc/init.d/functions
PORT=11211 PORT=11211
USER=nobody USER=memcached
MAXCONN=1024 MAXCONN=1024
CACHESIZE=64 CACHESIZE=64
OPTIONS="" OPTIONS=""
@ -22,6 +23,8 @@ if [ -f /etc/sysconfig/memcached ];then
fi fi
# Check that networking is up. # Check that networking is up.
. /etc/sysconfig/network
if [ "$NETWORKING" = "no" ] if [ "$NETWORKING" = "no" ]
then then
exit 0 exit 0
@ -33,7 +36,9 @@ prog="memcached"
start () { start () {
echo -n $"Starting $prog: " echo -n $"Starting $prog: "
# insure that /var/run/memcached has proper permissions # insure that /var/run/memcached has proper permissions
if [ "`stat -c %U /var/run/memcached`" != "$USER" ]; then
chown $USER /var/run/memcached chown $USER /var/run/memcached
fi
daemon --pidfile /var/run/memcached/memcached.pid memcached -d -p $PORT -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/memcached/memcached.pid $OPTIONS daemon --pidfile /var/run/memcached/memcached.pid memcached -d -p $PORT -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/memcached/memcached.pid $OPTIONS
RETVAL=$? RETVAL=$?

61
memcached.te Normal file
View File

@ -0,0 +1,61 @@
policy_module(memcached, 1.0.1)
require {
attribute port_type;
};
#####################################
#
# Declarations
#
type memcached_t;
type memcached_exec_t;
type memcached_var_run_t;
type memcached_port_t, port_type;
########################################
#
# Local policy
#
init_daemon_domain(memcached_t, memcached_exec_t)
domain_use_interactive_fds(memcached_t)
init_use_fds(memcached_t)
files_pid_file(memcached_var_run_t)
allow memcached_t self:capability { setgid setuid };
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process signal_perms;
allow memcached_t self:fifo_file rw_file_perms;
allow memcached_t self:unix_stream_socket create_stream_socket_perms;
allow memcached_t memcached_port_t:tcp_socket name_bind;
allow memcached_t memcached_port_t:udp_socket name_bind;
allow memcached_t self:tcp_socket create_stream_socket_perms;
allow memcached_t self:udp_socket create_stream_socket_perms;
corenet_non_ipsec_sendrecv(memcached_t)
corenet_tcp_sendrecv_all_if(memcached_t)
corenet_udp_sendrecv_all_if(memcached_t)
corenet_tcp_sendrecv_all_nodes(memcached_t)
corenet_udp_sendrecv_all_nodes(memcached_t)
corenet_tcp_bind_all_nodes(memcached_t)
corenet_udp_bind_all_nodes(memcached_t)
allow memcached_t memcached_var_run_t:file create_file_perms;
allow memcached_t memcached_var_run_t:dir rw_dir_perms;
files_pid_filetrans(memcached_t, memcached_var_run_t, file)
kernel_read_kernel_sysctls(memcached_t)
kernel_read_system_state(memcached_t)
libs_use_ld_so(memcached_t)
libs_use_shared_libs(memcached_t)
files_read_etc_files(memcached_t)
term_dontaudit_use_all_user_ptys(memcached_t)
term_dontaudit_use_all_user_ttys(memcached_t)
term_dontaudit_use_console(memcached_t)