mirror of https://github.com/Icinga/icinga2.git
SELinux: add a boolean to allow execution of plugins via sudo
Fixes #7039
This commit is contained in:
Dirk Goetz
parent
f4e9028543
commit
1c30a571d4
|
|
@ -106,6 +106,10 @@ SELinux is based on the least level of access required for a service to run. Usi
|
|||
|
||||
Having this boolean enabled allows icinga2 to connect to all ports. This can be necessary if you use features which connect to unconfined services, for example the [influxdb writer](14-features.md#influxdb-writer).
|
||||
|
||||
**icinga2_run_sudo**
|
||||
|
||||
To allow Icinga 2 executing plugins via sudo you can toogle this boolean. It is disabled by default, resulting in error messages like `execvpe(sudo) failed: Permission denied`.
|
||||
|
||||
**httpd_can_write_icinga2_command**
|
||||
|
||||
To allow httpd to write to the command pipe of icinga2 this boolean has to be enabled. This is enabled by default, if not needed you can disable it for more security.
|
||||
|
|
@ -167,13 +171,37 @@ Change the port value for the graphite feature according to your graphite instal
|
|||
}
|
||||
# icinga2 feature enable graphite
|
||||
|
||||
Before you restart the icinga2 service allow it to connect to all ports by enabling the boolean ´icinga2_can_connect_all` (now and permanent).
|
||||
Before you restart the icinga2 service allow it to connect to all ports by enabling the boolean `icinga2_can_connect_all` (now and permanent).
|
||||
|
||||
# setsebool icinga2_can_connect_all true
|
||||
# setsebool -P icinga2_can_connect_all true
|
||||
|
||||
If you restart the daemon now it will successfully connect to graphite.
|
||||
|
||||
#### Running plugins requiring sudo <a id="selinux-policy-examples-sudo"></a>
|
||||
|
||||
Some plugins require privileged access to the system and are designied to be executed via `sudo` to get these privileges.
|
||||
|
||||
In this case it is the CheckCommand [running_kernel](10-icinga-template-library.md#plugin-contrib-command-running_kernel) which is set to use `sudo`.
|
||||
|
||||
# cat /etc/icinga2/conf.d/services.conf
|
||||
apply Service "kernel" {
|
||||
import "generic-service"
|
||||
|
||||
check_command = "running_kernel"
|
||||
|
||||
vars.running_kernel_use_sudo = true
|
||||
|
||||
assign where host.name == NodeName
|
||||
}
|
||||
|
||||
Having this Service defined will result in a UNKNOWN state and the error message `execvpe(sudo) failed: Permission denied` because SELinux dening the execution.
|
||||
|
||||
Switching the boolean `icinga2_run_sudo` to allow the execution will result in the check executed successfully.
|
||||
|
||||
# setsebool icinga2_run_sudo true
|
||||
# setsebool -P icinga2_run_sudo true
|
||||
|
||||
#### Confining a user <a id="selinux-policy-examples-user"></a>
|
||||
|
||||
If you want to have an administrative account capable of only managing icinga2 and not the complete system, you can restrict the privileges by confining
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(icinga2, 0.1.8)
|
||||
policy_module(icinga2, 0.2.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -11,9 +11,28 @@ policy_module(icinga2, 0.1.8)
|
|||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(icinga2_can_connect_all, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow Apache to connect to Icinga 2 API
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_can_connect_icinga2_api, true)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow Apache to write into Icinga 2 Commandpipe
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_can_write_icinga2_command, true)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow Icinga 2 to run plugins via sudo
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(icinga2_run_sudo, false)
|
||||
|
||||
require {
|
||||
type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t;
|
||||
type nagios_checkdisk_plugin_t; type nagios_checkdisk_plugin_exec_t;
|
||||
|
|
@ -24,6 +43,7 @@ require {
|
|||
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
|
||||
type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
|
||||
type httpd_t; type system_mail_t;
|
||||
type devlog_t;
|
||||
role staff_r;
|
||||
attribute unreserved_port_type;
|
||||
}
|
||||
|
|
@ -182,6 +202,34 @@ tunable_policy(`icinga2_can_connect_all',`
|
|||
corenet_tcp_connect_all_ports(icinga2_t)
|
||||
')
|
||||
|
||||
# This is for plugins requiring to be executed via sudo
|
||||
tunable_policy(`icinga2_run_sudo',`
|
||||
allow icinga2_t self:capability { audit_write net_admin };
|
||||
allow icinga2_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow icinga2_t devlog_t:sock_file write;
|
||||
|
||||
init_read_utmp(icinga2_t)
|
||||
|
||||
auth_domtrans_chkpwd(icinga2_t)
|
||||
allow icinga2_t chkpwd_t:process { noatsecure rlimitinh siginh };
|
||||
|
||||
selinux_compute_access_vector(icinga2_t)
|
||||
|
||||
dbus_send_system_bus(icinga2_t)
|
||||
dbus_stream_connect_system_dbusd(icinga2_t)
|
||||
systemd_dbus_chat_logind(icinga2_t)
|
||||
# Without this it works but is very slow
|
||||
systemd_write_inherited_logind_sessions_pipes(icinga2_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`icinga2_run_sudo',`
|
||||
sudo_exec(icinga2_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Icinga Webinterfaces
|
||||
|
|
|
|||
Loading…
Reference in New Issue