良玉的博客 点点滴滴,积水成河_良玉的博客_页游、手游linux运维工程师之路

解决message中SELinux对Nagios的警告(可类推)

以nagios为例子

selinux.docx" style="color: rgb(51, 102, 153); text-decoration: none;">Nagios  and SELinux

Nagios 3.2.0    CentOS 5.4
开启SELinux的情况下,SELlinux不断警告:

tail /var/log/messages

Mar 9 23
:58:53 wingwu setroubleshoot: SELinux is preventing ping (ping_t) "read write" to /usr/local/nagios/var/spool/checkresults/checkkbOyGH (usr_t). For complete SELinux messages. run sealert -l 19c87c57-986e-45e8-a573-cbb30aba0951


查看alert

[root@wingwu ~]# sealert -l 19c87c57-986e-45e8-a573-cbb30aba0951

Summary
:

SELinux is preventing ping 
(ping_t) "read write" to
/usr/
local/nagios/var/spool/checkresults/checkkbOyGH (usr_t).

Detailed Description
:

SELinux denied access requested by ping
. It is not expected that this access is
required by ping 
and this access may signal an intrusion attempt. It is also
possible that the specific version 
or configuration of the application is
causing it to require additional access
.

Allowing Access
:

Sometimes labeling problems can cause SELinux denials
. You could try to restore
the default system file context 
for
/usr/
local/nagios/var/spool/checkresults/checkkbOyGH,

restorecon 
-'/usr/local/nagios/var/spool/checkresults/checkkbOyGH'

If this does not work, there is currently no automatic way to allow this access.
Instead
, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether
. Disabling SELinux protection is not recommended.
Please file a bug report 
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against 
this package.

Additional Information
:

Source Context system_u
:system_r:ping_t
Target Context system_u
:object_r:usr_t
Target Objects /usr/
local/nagios/var/spool/checkresults/checkkbOy
                              GH 
[ file ]
Source ping
Source Path /bin/ping
Port 
<Unknown>
Host wingwu
Source RPM Packages iputils
-20020927-46.el5
Target RPM Packages 
Policy RPM selinux
-policy-2.4.6-255.el5_4.4
Selinux Enabled True
Policy 
Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin 
Name catchall_file
Host 
Name wingwu
Platform Linux wingwu 2
.6.18-164.11.1.el5 #1 SMP
                              Wed Jan 20 07
:39:04 EST 2010 i686 i686
Alert Count 1
First Seen Tue Mar 9 23
:58:53 2010
Last Seen Tue Mar 9 23
:58:53 2010
Local ID 19c87c57-986e-45e8-a573-cbb30aba0951
Line Numbers 

Raw Audit Messages 

host=wingwu type=AVC msg=audit(1268150333.223:229): avc: denied { read write } forpid=8372 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checkkbOyGH" dev=hda8 ino=201256 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

host=wingwu type=SYSCALL msg=audit(1268150333.223:229): arch=40000003 syscall=11 success=yes exit=0 a0=9343aa8 a1=9343b40 a2=bfd4dc74 a3=9343b40 items=0 ppid=8371 pid=8372 auid=4294967295 uid=506 gid=510 euid=0 suid=0 fsuid=0 egid=510 sgid=510 fsgid=510 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping"subj=system_u:system_r:ping_t:s0 key=(null)


解决方法:
1.audit2allo创建一个对应的SElinux规则。
RawAudit Messages的两条信息添加到一个文本:

[root@wingwu ~]# cat /tmp/tmp-nagiosping 
host=wingwu type=AVC msg=audit(1268150163.171:228): avc: denied { read write } forpid=8345 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checkQKStFR" dev=hda8 ino=201256 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
host=wingwu type=SYSCALL msg=audit(1268150163.171:228): arch=40000003 syscall=11 success=yes exit=0 a0=8d9eaa8 a1=8d9eb40 a2=bf9465e4 a3=8d9eb40 items=0 ppid=8344 pid=8345 auid=4294967295 uid=506 gid=510 euid=0 suid=0 fsuid=0 egid=510 sgid=510 fsgid=510 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping"subj=system_u:system_r:ping_t:s0 key=(null)


然后创建.pp的规则包,并应用,这样就不会在有警告提示。

[root@wingwu ~]# audit2allow -M NagiosPing < /tmp/tmp-nagiosping 
[root@wingwu ~]# semodule -i NagiosPing.pp


2.
使用创建适用nagios的context
nagios-local.te 

policy_module(nagios-local,1.5.0)

require {
  class fifo_file read
;
  class fifo_file getattr
;
  class fifo_file write
;
  class file {create relabelto getattr}
;
  class lnk_file {read}
;
  class process { sigkill signal }
;
  class udp_socket node_bind
;
  
type restorecon_t;
  
type httpd_t;
  
type httpd_sys_content_t;
  
type httpd_nagios_script_exec_t;
  
type httpd_nagios_script_t;
  
type nagios_cgi_t;
  
type nagios_t;
  
type nagios_etc_t;
  
type ping_t;
  
type sbin_t;
  
type unlabeled_t;
  
type inaddr_any_node_t;
  
type usr_t;
  
type mysqld_etc_t;
  role system_r
;
}
;

# Create a nagios var 
type
type nagios_var_t;
domain_type
(nagios_var_t)
files_type
(nagios_var_t)

allow nagios_t sbin_t
:dir search;

allow nagios_t nagios_var_t
:dir rw_dir_perms;
allow nagios_t nagios_var_t
:dir search_dir_perms;
allow nagios_t nagios_var_t
:file rw_file_perms;
allow nagios_t nagios_var_t
:file create_file_perms;

allow nagios_t nagios_var_t
:fifo_file {create read write getattr};

allow ping_t nagios_var_t
:fifo_file read;
allow ping_t nagios_var_t
:file {read write};

nagios_read_config
( httpd_nagios_script_exec_t );
nagios_read_config
( httpd_nagios_script_t );
nagios_read_config
( nagios_cgi_t );

allow httpd_t nagios_cgi_t
:process { sigkill signal };

allow nagios_cgi_t nagios_var_t
:fifo_file { getattr write read };
allow nagios_cgi_t nagios_var_t
:dir search;

allow httpd_nagios_script_t nagios_var_t
:fifo_file {getattr write };

allow httpd_nagios_script_t nagios_var_t
:file r_file_perms;
allow httpd_nagios_script_t nagios_var_t
:dir r_dir_perms;
allow httpd_nagios_script_t nagios_var_t
:dir search_dir_perms;

allow restorecon_t nagios_var_t
:file relabelto;

#
# Need 
this so check_dns will work
allow nagios_t inaddr_any_node_t
:udp_socket node_bind;

#
# things that dont matter
...
dontaudit httpd_nagios_script_t unlabeled_t
:dir search;
dontaudit nagios_t httpd_sys_content_t
:dir search;

# check_mysql
...
dontaudit nagios_t mysqld_etc_t
:file getattr;
dontaudit nagios_t usr_t
:file getattr;

#
# rules to let nagios sendmail
allow nagios_t sbin_t
:lnk_file read;


nagios-local.fc

/usr/local/nagios/var(/.*)? system_u:object_r:nagios_var_t:s0


参考资料:
http://wiki.nagios.org/index.php/Selinux
http://blog.pas.net.au/2009/05/fighting-with-selinux-and-nagios/
http://blogs.fedoraproject.org/wp/mgrepl/2010/01/22/selinuxnagios/

 

 

其实就是需要

require {
        type usr_t;
        type ping_t;
        class file { read write };
}

#============= ping_t ==============
allow ping_t usr_t:file { read write };

这样的规则给nagios

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SELinux -troubleshooting file labeling issues

This is a follow-up to SELinux- dealing with exceptions.

First off, a few basics:

chcon should only be used for temporary changes. See SELinuxContexts - Labeling Files. Changes made with chcon will notsurvive a file system relabeling or use of the restorecon command.

/usr/sbin/semanage fcontext will permanently change the filecontext in a manner that will survive a relabel or restorecon. See 5.7.2.Persistent Changes: semanage fcontext in the Fedora 10 documentation.

How do I find out what file labels were defined already for a package?

This is a bit trickier, but the key lies in looking under the followingdirectory tree:

/etc/selinux/targeted/contexts/

For file labels, look at the file_context* files under:

/etc/selinux/targeted/contexts/files/

For example, I want to see what file contexts are defined for Nagios:

# grep -h "nagios"/etc/selinux/targeted/contexts/files/file_contexts*

/usr/lib(64)?/nagios/cgi(/.*)? system_u:object_r:httpd_nagios_script_exec_t:s0

/usr/lib(64)?/nagios/plugins(/.*)?      system_u:object_r:bin_t:s0

/usr/lib(64)?/nagios/cgi-bin(/.*)?     system_u:object_r:httpd_nagios_script_exec_t:s0

/usr/lib(64)?/cgi-bin/nagios(/.+)?     system_u:object_r:httpd_nagios_script_exec_t:s0

/usr/lib(64)?/cgi-bin/netsaint(/.*)?   system_u:object_r:httpd_nagios_script_exec_t:s0

/etc/nagios(/.*)?       system_u:object_r:nagios_etc_t:s0

/var/log/nagios(/.*)?   system_u:object_r:nagios_log_t:s0

/var/log/netsaint(/.*)?system_u:object_r:nagios_log_t:s0

/var/spool/nagios(/.*)?system_u:object_r:nagios_spool_t:s0

/usr/bin/nagios --      system_u:object_r:nagios_exec_t:s0

/etc/nagios/nrpe\.cfg   --     system_u:object_r:nrpe_etc_t:s0



You can also use the seinfo tool:

# seinfo -t | grep "nagios"
Rule loading disabled
nagios_spool_t
httpd_nagios_script_ra_t
httpd_nagios_script_ro_t
httpd_nagios_script_rw_t
nagios_t
httpd_nagios_script_t
nagios_tmp_t
httpd_nagios_htaccess_t
nagios_var_run_t
httpd_nagios_content_t
nagios_exec_t
httpd_nagios_script_exec_t
nagios_etc_t
nagios_log_t

Another tool is sesearch, i.e.: 

# sesearch -a | grep "nagios" | sort | uniq

Troubleshooting and fixing things

Thus, step #1 is generally that we need to figure out whether (A) the AVCdenial was caused by a mislabeled file. And if so, we need to change the filelabel.

Here's an example of what setroubleshoot log messages look like in the/var/log/messages file.

# grep "setroubleshoot" /var/log/messages
setroubleshoot: SELinux is preventing the status.cgi from using potentiallymislabeled files ./objects.cache (var_t). For complete SELinux messages. runsealert -l ce49f540-0b35-412c-862c-b901a274a421

setroubleshoot: SELinux is preventing ping (ping_t) "read write" to/var/nagios/spool/checkresults/checkZKmcmr (var_t). For complete SELinuxmessages. run sealert -l cf227199-1595-4775-9970-3935fc761b38

setroubleshoot: SELinux is preventing ping (ping_t) "read write" to/var/nagios/spool/checkresults/checke4tQgY (var_t). For complete SELinuxmessages. run sealert -l dbdc707e-193a-4f64-9bf2-0bb0d0a807e9

And here's what they look like in /var/log/audit:

# grep "AVC" /var/log/audit/audit.log | tail

type=AVC msg=audit(1233836684.122:15494): avc: denied { read } for pid=12081comm="status.cgi" name="objects.cache" dev=md1 ino=1306897scontext=system_u:system_r:httpd_nagios_script_t:s0tcontext=user_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1233836426.120:15476): avc: denied { read write } forpid=7518 comm="ping"path="/var/nagios/spool/checkresults/checkZKmcmr" dev=md1 ino=1306899scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1233836366.097:15454): avc: denied { read write } forpid=20671 comm="ping"path="/var/nagios/spool/checkresults/checke4tQgY" dev=md1 ino=1306899scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file

In this particular case, the fact that the target context is "var_t"generally indicates a labeling issue. The "var_t" file context ispretty generic and we don't want to give the source context(httpd_nagios_script_t) for status.cgi permissions to all files labeled withvar_t (which would be most of /var).

This means that using audit2allow is the wrong fix for thisparticular issue.

The correct solution is to either find out what file context should be used, orcreate a context and grant nagios access to those files.

References:

Fedora10 Security-Enhanced Linux User Guide

Top three things tounderstand in fixing SELinux problems. Reposted

Fedora SELinux Project Pages(wiki)

RedHat Enterprise Linux 4: Red Hat SELinux Guide

installation-howto.html" style="color: rgb(51, 102, 153); text-decoration: none;">Howto: Install and Setup XEN Virtualization Software on CentOS Linux 5 -Covers how to use semanage to grant the Xen process access to a directory whereit will store the DomU storage as files.

Updates:

Earlier, I mentioned that audit2allow was really not the best way to approachfile context issues. Now that I've learned a bit more, I can point you in abetter direction. 

1) semanage fcontext -a -t (newcontext) /full/path/to/filename

The "semanage" tool creates (or updates) a file under/etc/selinux/targeted/contexts/files. (Replace the word "targeted"with the current SELinux policy that you are using.) The file it creates iscalled "file_contexts.local".

"semanage" is used to create file contexts that will survive a systemrelabeling. So to properly change the file context on a path, you will use the"semanage fcontext" command then use "restorecon -vv -F" tofix the file / directory.

Note that you must supply a full path with a leading slash, otherwise you mayfind that restorecon does the wrong thing in other directories to files thatalso happen to match the pattern.

2) Using semanage to see what the default context is for a particular file

# semanage fcontext -l | grep '/some/path'

Note that this will not tell you where / what policy (whether part of the baseSELinux package or whether it's a custom/local policy change). If you want tofigure out whether it is a local change, then you should grep the files under/etc/selinux/targeted/contexts/files.

3) Relabing using restorecon.

"restorecon -v" will tell you which files get relabeled.

"restorecon -vv" will additionally tell you about files that did notget relabeled.

"restorecon -F" can be used to force a file back to the correctcontext as defined in the SELinux policy files.


标签: SELinuxNagiosnagios

作者:良玉 分类:Nagios 浏览:1609 评论:0
留言列表
发表评论
来宾的头像