Thursday, February 05, 2009
SELinux and Nagios v3
Note: This post was never finished... so it probably contains lots of errors and incorrect information, with one or two grains of useful information.
Now that Nagios has upgraded to v3, I'm going to revisit my SELinux configuration for it. Back when I first started I was somewhat clueless about SELinux (and still greatly so) and I created a lot of really bad policy modules. They were a brute-force approach to fixing the issue using only audit2allow and ignoring labeling issues in the underlying filesystem.
(See my older piece "SELinux - troubleshooting file labeling issues".)
First off, let's use semodule to take a look at what modules are loaded:
What you see here is the base nagios module as provided by RedHat/CentOS (nagios 1.1.0) along with three modules that I created using audit2allow. The contents of those modules are pretty immaterial, so I'm going to remove them and recreate the exceptions from scratch.
Now, if I were to startup Nagios right now, it would throw a lot of errors because I have SELinux set to Enforcing mode at the moment. So what we're going to do is temporarily put SELinux in "permissive" mode instead of "enforcing" mode. This will cause SELinux to log AVC denial messages to /var/log/audit/audit.log where we can look at them and use audit2allow to create a better exception policy.
Now we can startup Nagios, taking careful note of the time.
Now that Nagios has upgraded to v3, I'm going to revisit my SELinux configuration for it. Back when I first started I was somewhat clueless about SELinux (and still greatly so) and I created a lot of really bad policy modules. They were a brute-force approach to fixing the issue using only audit2allow and ignoring labeling issues in the underlying filesystem.
(See my older piece "SELinux - troubleshooting file labeling issues".)
First off, let's use semodule to take a look at what modules are loaded:
# semodule -l | grep "nagios"
nagios 1.1.0
nagios20080426 1.0
nagios20080522 1.0
nagios20080725 1.0What you see here is the base nagios module as provided by RedHat/CentOS (nagios 1.1.0) along with three modules that I created using audit2allow. The contents of those modules are pretty immaterial, so I'm going to remove them and recreate the exceptions from scratch.
# semodule -r nagios20080426
# semodule -r nagios20080522
# semodule -r nagios20080725Now, if I were to startup Nagios right now, it would throw a lot of errors because I have SELinux set to Enforcing mode at the moment. So what we're going to do is temporarily put SELinux in "permissive" mode instead of "enforcing" mode. This will cause SELinux to log AVC denial messages to /var/log/audit/audit.log where we can look at them and use audit2allow to create a better exception policy.
# getenforce
Enforcing
# setenforce Permissive
# getenforce
PermissiveNow we can startup Nagios, taking careful note of the time.
Labels: 2009, Nagios, SELinux, SystemAdministration
SELinux - troubleshooting file labeling issues
This is a follow-up to SELinux - dealing with exceptions.
First off, a few basics:
chcon should only be used for temporary changes. See SELinux Contexts - Labeling Files. Changes made with chcon will not survive a file system relabeling or use of the restorecon command.
/usr/sbin/semanage fcontext will permanently change the file context in a manner that will survive a relabel or restorecon. See 5.7.2. Persistent Changes: semanage fcontext in the Fedora 10 documentation.
How do I find out what file labels were defined already for a package?
This is a bit trickier, but the key lies in looking under the following directory tree:
/etc/selinux/targeted/contexts/
For file labels, look at the file_context* files under:
/etc/selinux/targeted/contexts/files/
For example, I want to see what file contexts are defined for Nagios:
You can also use the seinfo tool:
Another tool is sesearch, i.e.:
Troubleshooting and fixing things
Thus, step #1 is generally that we need to figure out whether (A) the AVC denial was caused by a mislabeled file. And if so, we need to change the file label.
Here's an example of what setroubleshoot log messages look like in the /var/log/messages file.
And here's what they look like in /var/log/audit:
In this particular case, the fact that the target context is "var_t" generally indicates a labeling issue. The "var_t" file context is pretty generic and we don't want to give the source context (httpd_nagios_script_t) for status.cgi permissions to all files labeled with var_t (which would be most of /var).
This means that using audit2allow is the wrong fix for this particular issue.
The correct solution is to either find out what file context should be used, or create a context and grant nagios access to those files.
References:
Fedora 10 Security-Enhanced Linux User Guide
Top three things to understand in fixing SELinux problems. Reposted
Fedora SELinux Project Pages (wiki)
Red Hat Enterprise Linux 4: Red Hat SELinux Guide
How to: Install and Setup XEN Virtualization Software on CentOS Linux 5 - Covers how to use semanage to grant the Xen process access to a directory where it will store the DomU storage as files.
First off, a few basics:
chcon should only be used for temporary changes. See SELinux Contexts - Labeling Files. Changes made with chcon will not survive a file system relabeling or use of the restorecon command.
/usr/sbin/semanage fcontext will permanently change the file context in a manner that will survive a relabel or restorecon. See 5.7.2. Persistent Changes: semanage fcontext in the Fedora 10 documentation.
How do I find out what file labels were defined already for a package?
This is a bit trickier, but the key lies in looking under the following directory tree:
/etc/selinux/targeted/contexts/
For file labels, look at the file_context* files under:
/etc/selinux/targeted/contexts/files/
For example, I want to see what file contexts are defined for Nagios:
# grep -h "nagios" /etc/selinux/targeted/contexts/files/file_contexts*
/usr/lib(64)?/nagios/cgi(/.*)? system_u:object_r:httpd_nagios_script_exec_t:s0
/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t:s0
/usr/lib(64)?/nagios/cgi-bin(/.*)? system_u:object_r:httpd_nagios_script_exec_t:s0
/usr/lib(64)?/cgi-bin/nagios(/.+)? system_u:object_r:httpd_nagios_script_exec_t:s0
/usr/lib(64)?/cgi-bin/netsaint(/.*)? system_u:object_r:httpd_nagios_script_exec_t:s0
/etc/nagios(/.*)? system_u:object_r:nagios_etc_t:s0
/var/log/nagios(/.*)? system_u:object_r:nagios_log_t:s0
/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t:s0
/var/spool/nagios(/.*)? system_u:object_r:nagios_spool_t:s0
/usr/bin/nagios -- system_u:object_r:nagios_exec_t:s0
/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t:s0
You can also use the seinfo tool:
# seinfo -t | grep "nagios"
Rule loading disabled
nagios_spool_t
httpd_nagios_script_ra_t
httpd_nagios_script_ro_t
httpd_nagios_script_rw_t
nagios_t
httpd_nagios_script_t
nagios_tmp_t
httpd_nagios_htaccess_t
nagios_var_run_t
httpd_nagios_content_t
nagios_exec_t
httpd_nagios_script_exec_t
nagios_etc_t
nagios_log_tAnother tool is sesearch, i.e.:
# sesearch -a | grep "nagios" | sort | uniqTroubleshooting and fixing things
Thus, step #1 is generally that we need to figure out whether (A) the AVC denial was caused by a mislabeled file. And if so, we need to change the file label.
Here's an example of what setroubleshoot log messages look like in the /var/log/messages file.
# grep "setroubleshoot" /var/log/messages
setroubleshoot: SELinux is preventing the status.cgi from using potentially mislabeled files ./objects.cache (var_t). For complete SELinux messages. run sealert -l ce49f540-0b35-412c-862c-b901a274a421
setroubleshoot: SELinux is preventing ping (ping_t) "read write" to /var/nagios/spool/checkresults/checkZKmcmr (var_t). For complete SELinux messages. run sealert -l cf227199-1595-4775-9970-3935fc761b38
setroubleshoot: SELinux is preventing ping (ping_t) "read write" to /var/nagios/spool/checkresults/checke4tQgY (var_t). For complete SELinux messages. run sealert -l dbdc707e-193a-4f64-9bf2-0bb0d0a807e9And here's what they look like in /var/log/audit:
# grep "AVC" /var/log/audit/audit.log | tail
type=AVC msg=audit(1233836684.122:15494): avc: denied { read } for pid=12081 comm="status.cgi" name="objects.cache" dev=md1 ino=1306897 scontext=system_u:system_r:httpd_nagios_script_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1233836426.120:15476): avc: denied { read write } for pid=7518 comm="ping" path="/var/nagios/spool/checkresults/checkZKmcmr" dev=md1 ino=1306899 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1233836366.097:15454): avc: denied { read write } for pid=20671 comm="ping" path="/var/nagios/spool/checkresults/checke4tQgY" dev=md1 ino=1306899 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=fileIn this particular case, the fact that the target context is "var_t" generally indicates a labeling issue. The "var_t" file context is pretty generic and we don't want to give the source context (httpd_nagios_script_t) for status.cgi permissions to all files labeled with var_t (which would be most of /var).
This means that using audit2allow is the wrong fix for this particular issue.
The correct solution is to either find out what file context should be used, or create a context and grant nagios access to those files.
References:
Fedora 10 Security-Enhanced Linux User Guide
Top three things to understand in fixing SELinux problems. Reposted
Fedora SELinux Project Pages (wiki)
Red Hat Enterprise Linux 4: Red Hat SELinux Guide
How to: Install and Setup XEN Virtualization Software on CentOS Linux 5 - Covers how to use semanage to grant the Xen process access to a directory where it will store the DomU storage as files.
Sections:
Recent posts:
[an error occurred while processing this directive]
Monthly archives:
2003/04
2003/05
2003/06
2003/07
2003/08
2003/09
2003/10
2003/11
2003/12
2004/01
2004/02
2004/03
2004/04
2004/05
2004/06
2004/07
2004/08
2004/09
2004/10
2004/11
2004/12
2005/01
2005/02
2005/03
2005/04
2005/05
2005/06
2005/07
2005/08
2005/09
2005/10
2005/11
2005/12
2006/01
2006/02
2006/03
2006/04
2006/05
2006/06
2006/07
2006/08
2006/09
2006/10
2006/11
2006/12
2007/01
2007/02
2007/03
2007/04
2007/05
2007/06
2007/07
2007/08
2007/12
2008/01
2008/03
2008/04
2008/05
2008/06
2008/07
2008/08
2008/09
2008/10
2008/11
2008/12
2009/01
2009/02
2009/03
2009/04
2009/05
2009/06
2009/07
2009/08
2009/09
2009/10
2009/11
2009/12
2010/06
Copyright 2003-2010, Thomas G. Harold, All Rights Reserved
