Skip to content

How would tools like “paster” work with SELinux? … “Thin story”

November 30, 2012

I have “recently” written

How would tools like “paster” work with SELinux?

blog about projects which use/used a tool like the paster to create own application servers. Now let’s talk about other specific example – Thin (Ruby web server).

Previously, we had all services using Thin running in the thin_t SELinux domain type. But we did not realize there are many projects which use Thin in different ways and we could not treat all of them just by one SELinux domain type. So we re-wrote the thin policy to provide


But how to use this interface? I will show you on AEOLUS-CONFIGSERVER example.


# yum install aeolus-configserver
# rpm -qi aeolus-configserver
Description :
The Aeolus Config Server, a service for storing and retrieving VM configurations

At First (read the previous blog for more details) we need to add a helper script which calls the thin binary from this helper script instead of either an init script or a systemd unit file.

# rpm -ql aeolus-configserver |grep wrapper
# cat /usr/bin/aeolus-configserver-thinwrapper


/usr/bin/thin start -c $CONFIG_SERVER_DIR -l $THIN_LOG \

Now the following steps are needed to get an initial policy.

1. Create a new policy file.

# echo “policy_module(aeolus_configserver,1.0)” > aeolus_configserver.te

2. Use the template.

# echo “thin_domain_template(aeolus_configserver)” >> aeolus_configserver.te

You can check the thin_domain_template() on

3. Compile/load it.

# make -f /usr/share/selinux/devel/Makefile aeolus_configserver.pp
# semodule -i aeolus_configserver.pp

4. What will we get?

The following basic types will be created

# seinfo -t |grep configserver

by “thin_domain_template(aeolus_configserver)“.

* thin_aeolus_configserver_exec_t type is an executable type for the aeolus-configserver-thinwrapper helper script.

# ls -Z /usr/bin/aeolus-configserver-thinwrapper
-rwxr-xr-x. root root system_u:object_r:thin_aeolus_configserver_exec_t:s0 /usr/bin/aeolus-configserver-thinwrapper

* thin_aeolus_configserver_t domain type is a domain type for an aeolus-configserver thin process.

With these types we can see the following transition

initrc_t @ thin_aeolus_configserver_exec_t –> thin_aeolus_configserver_t @ thin_exec_t –> thin_aeolus_configserver_t

But without this helper script you would see

initrc_t @ thin_exec_t –> thin_t

which means your project runs in the thin domain type defaultly and probably would not work. We have limited rules for the thin_t domain type because we want to know about this fact.

Now back to the thin_aeolus_configserver_t domain type. This type also got the thin_domain attribute. Basic rules are defined by the policy for all thin domains which are covered by this attribute.

FOREMAN start point

If you call


you will get

# seinfo -t |grep foreman

and thin_foreman_t will have the thin_domain attribute with the following basic rules

Check the thin_domain local policy section.

Note: You can also see the policy which has been created for aeolus-configserver.

  1. Michael permalink

    typo in your post :
    # seinfo -t |grep configserver

    you mean grep foreman ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: