Hi all,
my name is Gabriele Pohl. I live in Bonn, Germany and use Fedora for a few years (starting with Core 4 and upgraded to 9 some months ago)
I use Munin (http://munin.projects.linpro.no/) to monitor my computers hardware and services. After upgrading to Fedora 9 I decided to use SELinux in mode *enforce* and run into lots of problems concerning SELinux and Munin-Plugins, that need high system privileges to access block devices a.s.o.
I would like to solve this issues in a good manner and therefore subscribed to this list to ask the experts, how to do it.
Now my first question:
Plugin smart_ is written in Python. It calls "smartctl" from the smartmontools package (http://smartmontools.sourceforge.net/) to read the values of the SMART-Attributes from the harddisks.
To activate the plugin, one has to create a link within the service directory.
Actually the link looks like this: lrwxrwxrwx root root unconfined_u:object_r:munin_etc_t:s0 smart_sda -> /usr/share/munin/plugins/smart_
The plugins file looks like this: -rwxr-xr-x root root system_u:object_r:munin_exec_t:s0 /usr/share/munin/plugins/smart_
Executable smartctl looks like this: -rwxr-xr-x root root system_u:object_r:fsadm_exec_t:s0 /usr/sbin/smartctl
It needs access to the disks block device /dev/sda that looks like this: brw-rw---- root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda
I have policy type targeted active and policy module munin 1.4.0 installed.
I get the following raw audit messages, when calling smart_sda:
host=calex.dipohl.com type=AVC msg=audit(1221221404.542:709): avc: denied { getattr } for pid=18327 comm="python" path="/dev/sda" dev=tmpfs ino=298 scontext=unconfined_u:system_r:munin_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
host=calex.dipohl.com type=SYSCALL msg=audit(1221221404.542:709): arch=40000003 syscall=195 success=no exit=-13 a0=8fbe278 a1=bfcdf038 a2=3e8ff4 a3=8f481b8 items=0 ppid=18220 pid=18327 auid=500 uid=0 gid=491 euid=0 suid=0 fsuid=0 egid=491 sgid=491 fsgid=491 tty=(none) ses=1 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:munin_t:s0 key=(null)
As the FAQ said, I fed these messages into audit2allow: audit2allow -M mine < avcs
and get the following mine.te: ------------------------------- module mine 1.0;
require { type munin_t; type fixed_disk_device_t; class blk_file getattr; } require { type munin_t; type fixed_disk_device_t; class blk_file getattr; }
#============= munin_t ============== allow munin_t fixed_disk_device_t:blk_file getattr; -------------------------------
and a mine.pp
Will it be ok to load that into the kernel using semodule -i mine.pp ?
And why are there two identical *require* structs? Can / Should I delete one of them? What shall I do with the message of type "SYSCALL" if it were wrong to put it into the avcs-File?
Should I make adjustments to the files above (service-link, plugin-file)
Anything else, that you can advise?
So far for now & cheers,
Gabriele
On Fri, 2008-09-12 at 14:35 +0200, Gabriele Pohl wrote:
Hi all,
my name is Gabriele Pohl. I live in Bonn, Germany and use Fedora for a few years (starting with Core 4 and upgraded to 9 some months ago)
I use Munin (http://munin.projects.linpro.no/) to monitor my computers hardware and services. After upgrading to Fedora 9 I decided to use SELinux in mode *enforce* and run into lots of problems concerning SELinux and Munin-Plugins, that need high system privileges to access block devices a.s.o.
I would like to solve this issues in a good manner and therefore subscribed to this list to ask the experts, how to do it.
Now my first question:
Plugin smart_ is written in Python. It calls "smartctl" from the smartmontools package (http://smartmontools.sourceforge.net/) to read the values of the SMART-Attributes from the harddisks.
To activate the plugin, one has to create a link within the service directory.
Actually the link looks like this: lrwxrwxrwx root root unconfined_u:object_r:munin_etc_t:s0 smart_sda -> /usr/share/munin/plugins/smart_
The plugins file looks like this: -rwxr-xr-x root root system_u:object_r:munin_exec_t:s0 /usr/share/munin/plugins/smart_
Executable smartctl looks like this: -rwxr-xr-x root root system_u:object_r:fsadm_exec_t:s0 /usr/sbin/smartctl
It needs access to the disks block device /dev/sda that looks like this: brw-rw---- root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda
I have policy type targeted active and policy module munin 1.4.0 installed.
I get the following raw audit messages, when calling smart_sda:
host=calex.dipohl.com type=AVC msg=audit(1221221404.542:709): avc: denied { getattr } for pid=18327 comm="python" path="/dev/sda" dev=tmpfs ino=298 scontext=unconfined_u:system_r:munin_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
host=calex.dipohl.com type=SYSCALL msg=audit(1221221404.542:709): arch=40000003 syscall=195 success=no exit=-13 a0=8fbe278 a1=bfcdf038 a2=3e8ff4 a3=8f481b8 items=0 ppid=18220 pid=18327 auid=500 uid=0 gid=491 euid=0 suid=0 fsuid=0 egid=491 sgid=491 fsgid=491 tty=(none) ses=1 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:munin_t:s0 key=(null)
As the FAQ said, I fed these messages into audit2allow: audit2allow -M mine < avcs
and get the following mine.te:
module mine 1.0;
require { type munin_t; type fixed_disk_device_t; class blk_file getattr; } require { type munin_t; type fixed_disk_device_t; class blk_file getattr; }
#============= munin_t ============== allow munin_t fixed_disk_device_t:blk_file getattr;
and a mine.pp
Will it be ok to load that into the kernel using semodule -i mine.pp ?
And why are there two identical *require* structs? Can / Should I delete one of them? What shall I do with the message of type "SYSCALL" if it were wrong to put it into the avcs-File?
Should I make adjustments to the files above (service-link, plugin-file)
Anything else, that you can advise?
Ideally the munin_t domain itself shouldn't need any access to the raw device - it should transition into the existing domain for smartd (fsdaemon_t) upon executing the smartctl program. I don't know offhand if the existing munin policy module has such a domain transition rule.
However, mere getattr access (i.e. the ability to stat the file) isn't a big deal, so you could likely grant that one w/o difficulty. What would be more problematic is allowing read or write access to the raw device.
The duplicate require blocks look like a bug in audit2allow.
Hi Stephen and all,
I searched for a possibility to see what rules are defined in the Selinux module for munin.
After reading a lot of man pages of all the Selinux tools that I found on my system, without a result for this issue, I took a look to the selinux knowledge base here: http://fedoraproject.org/wiki/SELinux
and saw "seedit" selinux policy editor (and accompanying simplified policy language)
http://seedit.sourceforge.net/
"You can try SELinux Policy Editor on Fedora Core 6,7,8 or CentOS 4, Cent OS5. It will not affect existing SELinux policies so it is possible to revert to the default settings easily."
Hmmm, at the first call it asks for initialization. I agreed. It needs a reboot and after that, all policy rules were replaced by *simple* ones. And mode is now *permissive* not longer *targeted*.
I find no possibility to load a module for edit. (as e.g. munin targeted module). So this experiment was useless for my purpose.
After switching the mode *targeted* again (but no reboot since now) I see none of the old modules. All contexts are *unconfined*.
How can I get the original state back?
Am Freitag, den 12.09.2008, 09:49 -0400 schrieb Stephen Smalley:
On Fri, 2008-09-12 at 14:35 +0200, Gabriele Pohl wrote:
I use Munin (http://munin.projects.linpro.no/) Now my first question:
Plugin smart_ is written in Python. It calls "smartctl" from the smartmontools package (http://smartmontools.sourceforge.net/) to read the values of the SMART-Attributes from the harddisks.
#============= munin_t ============== allow munin_t fixed_disk_device_t:blk_file getattr;
Ideally the munin_t domain itself shouldn't need any access to the raw device - it should transition into the existing domain for smartd (fsdaemon_t) upon executing the smartctl program.
How can this be done?
I don't know offhand if the existing munin policy module has such a domain transition rule.
I would like to look at the rules definded in the policy module. How can I do this?
However, mere getattr access (i.e. the ability to stat the file) isn't a big deal, so you could likely grant that one w/o difficulty. What would be more problematic is allowing read or write access to the raw device.
ok, thanks! I'll add this rule as soon as I have my original states restored on the system.
Kind regards,
Gabriele
Am Samstag, den 04.10.2008, 12:29 +0200 schrieb Gabriele Pohl:
http://seedit.sourceforge.net/
"You can try SELinux Policy Editor on Fedora Core 6,7,8 or CentOS 4, Cent OS5. It will not affect existing SELinux policies so it is possible to revert to the default settings easily."
After switching the mode *targeted* again (but no reboot since now) I see none of the old modules. All contexts are *unconfined*.
this is ok now, after the reboot.
Am Freitag, den 12.09.2008, 09:49 -0400 schrieb Stephen Smalley:
On Fri, 2008-09-12 at 14:35 +0200, Gabriele Pohl wrote:
I use Munin (http://munin.projects.linpro.no/) Now my first question:
I would like to look at the rules definded in the policy module. How can I do this?
this is my question left now.
Kind regards,
Gabriele
Gabriele Pohl wrote:
Am Samstag, den 04.10.2008, 12:29 +0200 schrieb Gabriele Pohl:
http://seedit.sourceforge.net/
"You can try SELinux Policy Editor on Fedora Core 6,7,8 or CentOS 4, Cent OS5. It will not affect existing SELinux policies so it is possible to revert to the default settings easily."
After switching the mode *targeted* again (but no reboot since now) I see none of the old modules. All contexts are *unconfined*.
this is ok now, after the reboot.
Am Freitag, den 12.09.2008, 09:49 -0400 schrieb Stephen Smalley:
On Fri, 2008-09-12 at 14:35 +0200, Gabriele Pohl wrote:
I use Munin (http://munin.projects.linpro.no/) Now my first question:
I would like to look at the rules definded in the policy module. How can I do this?
this is my question left now.
Kind regards,
Gabriele
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can get most of the rules defined for a domain by using sesearch and/or apol
sesearch --allow -s munin_t
Or you could always down load the src.rpm and just look at the munin.te file.
Rawhide version attached.
policy_module(munin, 1.5.0)
######################################## # # Declarations #
type munin_t alias lrrd_t; type munin_exec_t alias lrrd_exec_t; init_daemon_domain(munin_t, munin_exec_t)
type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t)
type munin_initrc_exec_t; init_script_file(munin_initrc_exec_t)
type munin_log_t alias lrrd_log_t; logging_log_file(munin_log_t)
type munin_tmp_t alias lrrd_tmp_t; files_tmp_file(munin_tmp_t)
type munin_var_lib_t alias lrrd_var_lib_t; files_type(munin_var_lib_t)
type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t)
######################################## # # Local policy #
allow munin_t self:capability { chown dac_override setgid setuid sys_rawio }; dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; allow munin_t self:tcp_socket create_stream_socket_perms; allow munin_t self:udp_socket create_socket_perms; allow munin_t self:fifo_file manage_fifo_file_perms;
can_exec(munin_t, munin_exec_t)
allow munin_t munin_etc_t:dir list_dir_perms; read_files_pattern(munin_t, munin_etc_t, munin_etc_t) read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) files_search_etc(munin_t)
manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) manage_files_pattern(munin_t, munin_log_t, munin_log_t) logging_log_filetrans(munin_t, munin_log_t, { file dir })
manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) files_tmp_filetrans(munin_t, munin_tmp_t, { file dir })
# Allow access to the munin databases manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) files_search_var_lib(munin_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) files_pid_filetrans(munin_t, munin_var_run_t, file)
kernel_read_system_state(munin_t) kernel_read_network_state(munin_t) kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t) corecmd_exec_shell(munin_t)
corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) corenet_tcp_sendrecv_generic_if(munin_t) corenet_udp_sendrecv_generic_if(munin_t) corenet_tcp_sendrecv_all_nodes(munin_t) corenet_udp_sendrecv_all_nodes(munin_t) corenet_tcp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t) corenet_tcp_bind_munin_port(munin_t) corenet_tcp_connect_munin_port(munin_t) corenet_tcp_connect_http_port(munin_t) corenet_tcp_bind_all_nodes(munin_t)
dev_read_sysfs(munin_t) dev_read_urand(munin_t)
domain_use_interactive_fds(munin_t) domain_dontaudit_read_all_domains_state(munin_t)
files_read_etc_files(munin_t) files_read_etc_runtime_files(munin_t) files_read_usr_files(munin_t) files_list_spool(munin_t)
fs_getattr_all_fs(munin_t) fs_search_auto_mountpoints(munin_t)
auth_use_nsswitch(munin_t)
libs_use_ld_so(munin_t) libs_use_shared_libs(munin_t)
logging_send_syslog_msg(munin_t)
miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t)
sysnet_exec_ifconfig(munin_t) netutils_domtrans_ping(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t) sysadm_dontaudit_search_home_dirs(munin_t)
optional_policy(` # for accessing the output directory apache_search_sys_content(munin_t) ')
optional_policy(` cron_system_entry(munin_t,munin_exec_t) ')
optional_policy(` fstools_domtrans(munin_t) ')
optional_policy(` mta_read_config(munin_t) mta_send_mail(munin_t) ')
optional_policy(` mysql_read_config(munin_t) mysql_stream_connect(munin_t) ')
optional_policy(` sendmail_read_log(munin_t) ')
optional_policy(` seutil_sigchld_newrole(munin_t) ')
optional_policy(` udev_read_db(munin_t) ')
#============= http munin policy ============== apache_content_template(munin)
manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
selinux@lists.fedoraproject.org