Selinux
Créer une custom policy SELinux
Contexte
Exemple avec le plugin nagios check_keepalived_state.
Ca fonctionne en local :
[root@rproxy ~]# /usr/lib64/nagios/plugins/check_keepalived_state MASTER
OK: INSTANCE rproxy_1_2 is in MASTER state
Mais via NRPE ca marche pas =(
[root@poller1 ~]# /usr/lib64/nagios/plugins/check_nrpe -H 10.0.0.50 -c check_keepalived_state
CRITICAL:
Dans les logs :
[root@rproxy ~]# ausearch -m avc --start recent
----
time->Wed Jun 30 09:59:26 2021
type=PROCTITLE msg=audit(1625039966.424:330561): proctitle=637574002D640020002D660035002F7661722F72756E2F6B656570616C6976652E7374617465
type=SYSCALL msg=audit(1625039966.424:330561): arch=c000003e syscall=2 success=no exit=-13 a0=7ffcbcd7af1a a1=0 a2=1b6 a3=24 items=0 ppid=28481 pid=28483 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="cut" exe="/usr/bin/cut" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1625039966.424:330561): avc: denied { read } for pid=28483 comm="cut" name="keepalive.state" dev="tmpfs" ino=19120 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:keepalived_var_run_t:s0 tclass=file permissive=0
[root@rproxy ~]# ausearch -m avc --start recent | audit2allow
#============= nrpe_t ==============
allow nrpe_t keepalived_var_run_t:file read;
Ca parait normal, pourquoi NRPE aurait le droit de lire des fichiers keepalived du /var/run.
[root@rproxy ~]# ll -Z /var/run/keepalive.state
-rw-rw-rw-. root root system_u:object_r:keepalived_var_run_t:s0 /var/run/keepalive.state
Générer la police (version courte)
On crée directement la police compilée avec l'unique alerte remontée
ausearch -m avc --start recent | audit2allow -M sr_check_keepalived_state
Ca nous donne deux fichiers : - sr_check_keepalived_state.te (Type Enforcment : la police en clair) - sr_check_keepalived_state.pp (la police compilée)
[root@rproxy ~]# cat sr_check_keepalived_state.te
module sr_check_keepalived_state 1.0;
require {
type nrpe_t;
type keepalived_var_run_t;
class file read;
}
#============= nrpe_t ==============
allow nrpe_t keepalived_var_run_t:file read;
En général le .te est plutôt clair sur ce qu'il autorise.
Générer la police (version longue)
On génère le .te (Type Enforcment : en clair)
ausearch -m avc --start recent --raw | audit2allow -m sr_check_keepalived_state > sr_check_keepalived_state.te
On crée le module (.mod)
checkmodule -M -m -o sr_check_keepalived_state.mod sr_check_keepalived_state.te
On le compile
semodule_package -o sr_check_keepalived_state.pp -m sr_check_keepalived_state.mod
On a maintenant le .pp
Installation
[root@rproxy ~]# semodule -i sr_check_keepalived_state.pp
On vérifie :
[root@rproxy ~]# semodule -l | grep sr_
sr_check_keepalived_state 1.0
[root@poller1 ~]# /usr/lib64/nagios/plugins/check_nrpe -H 10.0.0.50 -c check_keepalived_state
OK: INSTANCE rproxy_1_2 is in MASTER state
Youpi !