From 1ca184a92a1b02fcadd847d1b1609d59e27f2373 Mon Sep 17 00:00:00 2001 From: Dirk Goetz Date: Tue, 31 Mar 2015 19:36:03 +0000 Subject: [PATCH] Selinux: added boolean for allowing icinga 2 to connect to all ports, added plugin domain transition to admin role refs #8332 --- doc/99-selinux.md | 49 +++++++++++++++++++++++++++++++++++----- tools/selinux/icinga2.if | 30 +++++++++++++++++++++++- tools/selinux/icinga2.te | 21 +++++++++++++++++ 3 files changed, 93 insertions(+), 7 deletions(-) diff --git a/doc/99-selinux.md b/doc/99-selinux.md index 10230e4ee..d03189554 100644 --- a/doc/99-selinux.md +++ b/doc/99-selinux.md @@ -40,11 +40,12 @@ As a prerequisite install the `git`, `selinux-policy-devel` and `audit` package. After that clone the icinga2 git repository and checkout the feature branch. # git clone git://git.icinga.org/icinga2.git + # cd icinga2/ # git checkout feature/rpm-selinux-8332 To create and install the policy package run the installation script which also labels the resources. (The script assumes Icinga 2 was started once after system startup, the labeling of the port will only happen once and fail later on.) - # cd icinga2/tools/selinux/ + # cd tools/selinux/ # ./icinga.sh Some changes to the systemd scripts are also required to handle file contexts correctly. This is at the moment only included in the feature branch, so it has to be copied manually. @@ -61,7 +62,7 @@ After that restart Icinga 2 and verify it running in its own domain `icinga2_t`. When the SELinux policy package for Icinga 2 is installed, the Icinga 2 daemon (icinga2) runs in its own domain `icinga2_t` and is separated from other confined services. -Files have to be labeled correctly for allowing icinga2 access to it. For example it writes to its own log files labeled `icinga2_log_t`. Also the API port is labeled `icinga_port_t` and the icinga2 is allowed to manage it. Furthermore icinga2 can open high ports and unix sockets to connect to databases and features like graphite. It executes the nagios plugins and transitions to their context if those are labeled for example `nagios_services_plugin_exec_t` or `nagios_system_plugin_exec_t`. +Files have to be labeled correctly for allowing icinga2 access to it. For example it writes to its own log files labeled `icinga2_log_t`. Also the API port is labeled `icinga_port_t` and icinga2 is allowed to manage it. Furthermore icinga2 can open high ports and unix sockets to connect to databases and features like graphite. It executes the nagios plugins and transitions to their context if those are labeled for example `nagios_services_plugin_exec_t` or `nagios_system_plugin_exec_t`. Additional the Apache webserver is allowed to connect to the Command pipe of Icinga 2 to allow web interfaces sending commands to icinga2. This will perhaps change later on while investigating Icinga Web 2 for SELinux! @@ -85,7 +86,15 @@ nagios_notification_plugin_exec_t | nagios_notification_plugin_t | Notification If one of those plugin domains causes problems you can set it to permissive by executing `semanage permissive -a domain`. -The policy provides a role `icinga2adm_r` for confining an user which enables an administrative user managing only Icinga 2 on the system. +The policy provides a role `icinga2adm_r` for confining an user which enables an administrative user managing only Icinga 2 on the system. This user will also execute the plugins in their domain instead of the users one, so you can verify their execution with the same restrictions like they have when executed by icinga2. + +### Booleans + +SELinux is based on the least level of access required for a service to run. Using booleans you can grant more access in a defined way. The Icinga 2 policy package provides the following booleans. + +**icinga2_can_connect_all** + +Having this boolean enabled allows icinga2 to connect to all ports. This can be neccesary if you use features which connect to unconfined services. ### Configuration Examples @@ -94,15 +103,15 @@ The policy provides a role `icinga2adm_r` for confining an user which enables an Download and install a plugin, for example check_mysql_health. # wget http://labs.consol.de/download/shinken-nagios-plugins/check_mysql_health-2.1.9.2.tar.gz - # tar xvzf check_mysql_health-2.1.9.2.tar.gz + # tar xvzf check_mysql_health-2.1.9.2.tar.gz # cd check_mysql_health-2.1.9.2/ # ./configure --libexecdir /usr/lib64/nagios/plugins # make # make install -It is label `nagios_unconfined_plugins_exec_t` by default, so it runs without restrictions. +It is labeled `nagios_unconfined_plugins_exec_t` by default, so it runs without restrictions. - # ls -lZ /usr/lib64/nagios/plugins/check_mysql_health + # ls -lZ /usr/lib64/nagios/plugins/check_mysql_health -rwxr-xr-x. root root system_u:object_r:nagios_unconfined_plugin_exec_t:s0 /usr/lib64/nagios/plugins/check_mysql_health In this case the plugin is monitoring a service, so it should be labeled `nagios_services_plugin_exec_t` to restrict its permissions. @@ -113,6 +122,34 @@ In this case the plugin is monitoring a service, so it should be labeled `nagios The plugin still runs fine but if someone changes the script to do weird stuff it will fail to do so. +#### Allow icinga to connect to all ports. + +You are running graphite on a different port than `2003` and want `icinga2` to connect to it. + +Change the port value for the graphite feature according to your graphite installation before enabling it. + + # cat /etc/icinga2/features-enabled/graphite.conf + /** + * The GraphiteWriter type writes check result metrics and + * performance data to a graphite tcp socket. + */ + + library "perfdata" + + object GraphiteWriter "graphite" { + //host = "127.0.0.1" + //port = 2003 + port = 2004 + } + # icinga2 feature enable graphite + +Before you restart the icinga2 service allow it to connect to all ports by enabling the boolean ´icinga2_can_connect_all` (now and permanent). + + # setsebool icinga2_can_connect_all true + # setsebool -P icinga2_can_connect_all true + +If you restart the daemon now it will successfully connect to graphite. + #### Confining a user Start by adding the Icinga 2 administrator role `icinga2adm_r` to the administrative SELinux user `staff_u`. diff --git a/tools/selinux/icinga2.if b/tools/selinux/icinga2.if index 3c1e4635a..62c165d30 100644 --- a/tools/selinux/icinga2.if +++ b/tools/selinux/icinga2.if @@ -345,7 +345,7 @@ interface(`icinga2_send_commands',` ######################################## ## -## For domains icinga should transition to (e.g. Plugins). +## For domains icinga2 should transition to (e.g. Plugins). ## ## ## @@ -404,3 +404,31 @@ interface(`icinga2adm_role_change',` allow $1 icinga2adm_r; ') + +######################################## +## +## For domains icinga2adm should transition to (e.g. Plugins). +## +## +## +## Context of the executable. +## +## +## +## +## Domain icinga should transition to. +## +## +# +interface(`icinga2adm_execstrans',` + gen_require(` + type icinga2adm_t; + ') + + role icinga2adm_r types $2; + allow icinga2adm_r system_r; + type_transition icinga2adm_t $1:process $2; + allow icinga2adm_t $2:process transition; + allow $2 icinga2adm_t:process sigchld; + role_transition icinga2adm_r $1 system_r; +') diff --git a/tools/selinux/icinga2.te b/tools/selinux/icinga2.te index 4b9126344..9d2497d14 100644 --- a/tools/selinux/icinga2.te +++ b/tools/selinux/icinga2.te @@ -5,6 +5,13 @@ policy_module(icinga2, 0.1.3) # Declarations # +## +##

+## Allow Icinga 2 to connect to all ports +##

+##
+gen_tunable(icinga2_can_connect_all, false) + require { type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t; type nagios_checkdisk_plugin_t; type nagios_checkdisk_plugin_exec_t; @@ -148,6 +155,10 @@ postgresql_tcp_connect(icinga2_t) # graphite is using port 2003 which is lmtp_port_t corenet_tcp_connect_lmtp_port(icinga2_t) +tunable_policy(`icinga2_can_connect_all',` + corenet_tcp_connect_all_ports(icinga2_t) +') + ######################################## # # Icinga Webinterfaces @@ -172,3 +183,13 @@ allow icinga2adm_t self:capability { dac_read_search dac_override }; # should be moved to staff.te icinga2adm_role_change(staff_r) +# should be moved to nagios_plugin_template in nagios.if +icinga2adm_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t) +icinga2adm_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) +icinga2adm_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t) +icinga2adm_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t) +icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t) +icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) +icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t) +icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t) +icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)