[Pacemaker] [RFC] working selinux policy module for pacemaker

Vladislav Bogdanov bubble at hoster-ok.com
Wed Dec 19 03:33:59 EST 2012 

Hi all,

I'd like to share my successful attempt to confine pacemaker.

I took pacemaker module barebone found in latest fedora's selinux-policy (3.11.1-64.fc18) and
extended it a bit, so now I have pacemaker and some pacemaker-managed services
running confined.

Everything runs on EL6 with corosync-2.2 and latest master. Services include:
* dlm_controld (4.0.0)
* gfs_controld (I wrote before that I had success porting it to corosync-2 and dlm-4)
* clvmd
* drbd (8.3.14 with crm_fence_peer updated to work with 1.1.8 and above)
* clustered LVM VG on top of drbd device running active/active
* GFS filesystem on LVM LV

What differs from fedora policy module:
* lrmd runs in init_t domain. This includes:
** label lrmd as init_exec_t
** allow process domain transition from pacemaker_t to init_t for entry
   files labeled with init_exec_t
** allow init_t processes communicate with pacemaker_t processes via UNIX
   domain socket
** allow pacemaker_t to send signals to init_t to stop lrmd (this is probably
   weak, but I do not see better solution right now)
** label SHM channel created by init_t process with pacemaker_tmpfs_t
* OCF scripts are labeled as initrc_exec_t (this actually has nothing to
  pacemaker module, so I packaged this separately)
* pacemaker_t is allowed to do setattr on corosync_var_run_t:dir (this one is a
  minor change to allow chown(/var/run/heartbeat) and could be replaced with
dontaudit)
* pacemaker_t is allowed to search, list, read and execute initrc_exec_t files
  and dirs (this is needed by crmd)
* pacemaker_t is allowed to do transition to drbd domain (to run drbd OCF script
  which has its own label, drbd_exec_t) (needed for crmd)
* allow pacemaker_t to read usr_t files (to load schemas)

As I run on EL6, I included two more changes to make it compile and work:
* comment everything about systemd
* allow pacemaker_t to load locale files

I also included some more "fixes" in a separate policy module.
* introduce corosync_rw_tmpfs interface (backport from fedora and extend a bit)
* allow dlm_controld to communicate with corosync via UNIX sockets and SHM (this
  is probably included in fedora, I did not check)
* allow gfs_controld to communicate with corosync via UNIX sockets and SHM (this
  one is EL6-specific and requires gfs_contold working with corosync-2)
* allow clvmd to communicate with corosync via SHM
* fixes for dlm_controld-4.0 (labels for config and pid files)
* labels for /usr/lib/ocf (I wrote above about it)

Here is a pacemaker module (diff to fedora's one):
===
diff -urNp selinux/pacemaker/3.11.1/pacemaker.fc selinux-pacemaker-1.0.9/pacemaker.fc
--- selinux/pacemaker/3.11.1/pacemaker.fc       2012-12-17 12:08:57.000000000 +0000
+++ selinux-pacemaker-1.0.9/pacemaker.fc        2012-12-18 06:54:16.875165943 +0000
@@ -1,9 +1,11 @@
 /etc/rc\.d/init\.d/pacemaker   --      gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
 
-/usr/lib/systemd/system/pacemaker.*    --      gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
+#/usr/lib/systemd/system/pacemaker.*   --      gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
 
 /usr/sbin/pacemakerd           --      gen_context(system_u:object_r:pacemaker_exec_t,s0)
 
+/usr/libexec/pacemaker/lrmd            --      gen_context(system_u:object_r:init_exec_t,s0)
+
 /var/lib/heartbeat/crm(/.*)?   gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
 
 /var/lib/pacemaker(/.*)?      gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
diff -urNp selinux/pacemaker/3.11.1/pacemaker.te selinux-pacemaker-1.0.9/pacemaker.te
--- selinux/pacemaker/3.11.1/pacemaker.te       2012-12-17 12:08:57.000000000 +0000
+++ selinux-pacemaker-1.0.9/pacemaker.te        2012-12-18 08:30:51.933102744 +0000
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.0.0)
+policy_module(pacemaker, 1.0.9)
 
 ########################################
 #
@@ -7,6 +7,7 @@ policy_module(pacemaker, 1.0.0)
 
 type pacemaker_t;
 type pacemaker_exec_t;
+
 init_daemon_domain(pacemaker_t, pacemaker_exec_t)
 
 type pacemaker_initrc_exec_t;
@@ -24,8 +25,13 @@ files_tmp_file(pacemaker_tmp_t)
 type pacemaker_tmpfs_t;
 files_tmpfs_file(pacemaker_tmpfs_t)
 
-type pacemaker_unit_file_t;
-systemd_unit_file(pacemaker_unit_file_t)
+#type pacemaker_unit_file_t;
+#systemd_unit_file(pacemaker_unit_file_t)
+
+gen_require(`
+    type initrc_exec_t;
+    type corosync_var_run_t;
+')
 
 ########################################
 #
@@ -60,6 +66,30 @@ kernel_read_messages(pacemaker_t)
 kernel_getattr_core_if(pacemaker_t)
 kernel_read_software_raid_state(pacemaker_t)
 
+# For mcp_chown(HA_STATE_DIR "/heartbeat", pcmk_uid, pcmk_gid);
+allow pacemaker_t corosync_var_run_t:dir { setattr };
+
+# crmd gathers metadata from OCF scripts
+allow pacemaker_t initrc_exec_t:dir list_dir_perms;
+init_getattr_script_files(pacemaker_t)
+init_read_script_files(pacemaker_t)
+init_exec_script_files(pacemaker_t)
+# drbd OCF script has different label (drbd_exec_t)
+drbd_domtrans(pacemaker_t)
+
+# Start lrmd in init_t domain
+init_domtrans(pacemaker_t)
+# Allow communication with it
+init_stream_connect(pacemaker_t)
+# And allow to kill lrmd
+init_signal(pacemaker_t)
+# And label lrmd shm channels as pacemaker_tmpfs_t. I hope this should not interfere with real inits (sysv, upstart, systemd).
+fs_tmpfs_filetrans(init_t, pacemaker_tmpfs_t, { dir file })
+
+# Read schema files
+files_read_usr_files(pacemaker_t)
+
+# Execute pacemaker daemons, rhcs fence agents and various binaries called from OCF scripts run by crmd to get metadata
 corecmd_exec_bin(pacemaker_t)
 corecmd_exec_shell(pacemaker_t)
 
@@ -78,6 +108,8 @@ auth_use_nsswitch(pacemaker_t)
 
 logging_send_syslog_msg(pacemaker_t)
 
+miscfiles_read_localization(pacemaker_t)
+
 optional_policy(`
        corosync_read_log(pacemaker_t)
        corosync_stream_connect(pacemaker_t)

===

And addons to make everything work on EL6:
===
--- /dev/null   2012-08-22 02:58:15.078103358 +0000
+++ selinux-clusterng-addon-0.0.7/clusterng-addon.fc    2012-12-18 07:16:50.179150062 +0000
@@ -0,0 +1,4 @@
+/etc/dlm(/.*)?                          gen_context(system_u:object_r:dlm_controld_etc_t,s0)
+/var/run/dlm_controld(/.*)?             gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/cluster/gfs_controld\.pid      gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/usr/lib/ocf(/.*)?                      gen_context(system_u:object_r:initrc_exec_t,s0)
--- /dev/null   2012-08-22 02:58:15.078103358 +0000
+++ selinux-clusterng-addon-0.0.7/clusterng-addon.if    2012-12-18 08:13:51.447113151 +0000
@@ -0,0 +1,19 @@
+######################################
+## <summary>
+##  Allow the specified domain to read/write corosync's tmpfs files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`corosync_rw_tmpfs',`
+    gen_require(`
+        type corosync_tmpfs_t;
+    ')
+
+    rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+    delete_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+')
+
--- /dev/null   2012-08-22 02:58:15.078103358 +0000
+++ selinux-clusterng-addon-0.0.7/clusterng-addon.te    2012-12-18 08:12:10.434097978 +0000
@@ -0,0 +1,31 @@
+policy_module(clusterng-addon,0.0.7)
+
+type dlm_controld_etc_t;
+files_type(dlm_controld_etc_t)
+
+gen_require(`
+    type corosync_t;
+    type dlm_controld_t;
+    type gfs_controld_t;
+    type clvmd_t;
+')
+
+allow corosync_t self:capability { fowner };
+#corecmd_exec_bin(dlm_controld_t)
+
+# Allow dlm_controld read its config
+read_files_pattern(dlm_controld_t, dlm_controld_etc_t, dlm_controld_etc_t)
+
+optional_policy(`
+    corosync_stream_connect(dlm_controld_t)
+    corosync_rw_tmpfs(dlm_controld_t)
+')
+
+optional_policy(`
+    corosync_stream_connect(gfs_controld_t)
+    corosync_rw_tmpfs(gfs_controld_t)
+')
+
+optional_policy(`
+    corosync_rw_tmpfs(clvmd_t)
+')
===


Related 'ps axfZ' output on an active node is:

unconfined_u:system_r:corosync_t:s0 1711 ?     Ssl    0:19 corosync
unconfined_u:system_r:pacemaker_t:s0 1737 pts/1 S     0:00 pacemakerd
unconfined_u:system_r:pacemaker_t:s0 1739 ?    Ss     0:01  \_ /usr/libexec/pacemaker/cib
unconfined_u:system_r:pacemaker_t:s0 1740 ?    Ss     0:00  \_ /usr/libexec/pacemaker/stonithd
unconfined_u:system_r:init_t:s0  1741 ?        Ss     0:00  \_ /usr/libexec/pacemaker/lrmd
unconfined_u:system_r:pacemaker_t:s0 1742 ?    Ss     0:00  \_ /usr/libexec/pacemaker/attrd
unconfined_u:system_r:pacemaker_t:s0 1743 ?    Ss     0:00  \_ /usr/libexec/pacemaker/pengine
unconfined_u:system_r:pacemaker_t:s0 1744 ?    Ss     0:00  \_ /usr/libexec/pacemaker/crmd
unconfined_u:system_r:dlm_controld_t:s0 2648 ? Ssl    0:00 dlm_controld
unconfined_u:system_r:gfs_controld_t:s0 2687 ? Ssl    0:00 gfs_controld
unconfined_u:system_r:clvmd_t:s0 2698 ?        SLsl   0:00 /usr/sbin/clvmd -T30 -I corosync

selinux runs in Enforcing mode.

# mount|grep gfs2
/dev/mapper/vg_gfs--test-gfs--test on /cluster/storage/gfs-test-fs type gfs2 (rw,seclabel,relatime,hostdata=jid=0)

So, comments are welcome,

Vladislav

More information about the Pacemaker mailing list