Hi,
Is there recommended way of setting up custom SNMP (net-snmp) scripts used for monitoring the status of software or hardware RAID, Web site hits, etc.? I created a special directory for them - /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to do. My snmpScripts.te on a server with software RAID looks like this:
module snmpScripts 1.0;
require { type snmpd_t; type proc_mdstat_t; type usr_t; class file { ioctl execute read open getattr execute_no_trans }; }
#============= snmpd_t ==============
Is there a better or more secure way of doing this?
Fred New Systems administrator Elion Ettevõtted AS Tallinn, Estonia
On Tue, 2011-12-20 at 10:57 +0200, Frederick William New wrote:
Hi,
Is there recommended way of setting up custom SNMP (net-snmp) scripts used for monitoring the status of software or hardware RAID, Web site hits, etc.? I created a special directory for them - /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to do. My snmpScripts.te on a server with software RAID looks like this:
I would probably label /usr/local/snmp/bin/ and anything below type bin_t. This will atleast stop snmpd_t from executing generic usr files.
Example;
semanage fcontext -a -t bin_t "/usr/local/snmp/bin(/.*)?" restorecon -R -v /usr/local/snmp/bin
Besides that i guess you would need to allow snmpd_t to read /proc/mdstat files but you can use audit2allow for that as you did below.
module snmpScripts 1.0;
require { type snmpd_t; type proc_mdstat_t; type usr_t; class file { ioctl execute read open getattr execute_no_trans }; }
#============= snmpd_t ==============
Is there a better or more secure way of doing this?
Fred New Systems administrator Elion Ettevõtted AS Tallinn, Estonia
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Tue 2011-12-20 at 11:59 AM, Dominick Grift wrote:
On Tue, 2011-12-20 at 10:57 +0200, Frederick William New wrote:
Hi,
Is there recommended way of setting up custom SNMP (net-snmp) scripts used for monitoring the status of software or hardware RAID, Web site hits, etc.? I created a special directory for them - /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to do. My snmpScripts.te on a server with software RAID looks like this:
I would probably label /usr/local/snmp/bin/ and anything below type bin_t. This will atleast stop snmpd_t from executing generic usr files.
Example;
semanage fcontext -a -t bin_t "/usr/local/snmp/bin(/.*)?" restorecon -R -v /usr/local/snmp/bin
Besides that i guess you would need to allow snmpd_t to read /proc/mdstat files but you can use audit2allow for that as you did below.
Thanks, I like it. My snmpScripts.te looks simpler now:
module snmpScripts 1.0;
require { type snmpd_t; type proc_mdstat_t; class file { read ioctl open getattr }; }
#============= snmpd_t ============== allow snmpd_t proc_mdstat_t:file { read ioctl open getattr };
I notice that I failed to include all of my previous snmpScripts.te. Two allow lines at the bottom were missing - one for usr_t as you mentioned above and the one shown here for proc_mdstat_t.
Fred
selinux@lists.fedoraproject.org
-
Dominick Grift -
Frederick William New