How would tools like “paster” work with SELinux?
There are many projects which use/used a tool like the paster to create own application servers. For example, piranha, TurboGears2 and others. But what is a problem here?
The paster tool is a python script. The script is called either from an init script or a systemd unit file by a project. This means we can have multiple calling of this script to create running daemons. We have the following transition
initrc_t @ bin_t -> initrc_t
Probably you know this is wrong. We should confine daemons running in the initrc_t domain type. We had this issue with the piranha package. I did not know everything about the paster tool. I added the piranha_web_exec_t label for the paster python script and we got the following transition
initrc_t @ piranha_web_exec_t -> piranha_web_t
which is what we wanted. But this change caused TurboGears2 application servers running with piranha_web_t domain type. It was obviously wrong.
What happened?
turbogears init script @ paster -> TurboGears2 application server
initrc_t @ piranha_web_exec_t -> piranha_web_t
You see the problem. How could we solve issues like this? The solution is pretty easy because we know how SELinux and transitions work. We can just do
initrc_t @ $1_exec_t ->$1_t @ bin_t -> $1_t
What is “?_exec_t” in this case? It can be a script which is called from either an init script or a systemd unit file and this script then calls the pastor python script with arguments. Then we get what we want
initrc_t @ piranha_web_exec_t -> piranha_web_t @ bin_t -> piranha_web_t
initrc_t @ turbogears_exec_t -> turbogears_t @ bin_t -> turbogears_t
and we can leave the pastor python script labeled as bin_t.
We can apply this solution for other projects.
