mirror of https://github.com/Icinga/icinga2.git
Dirk Goetz
Michael Friedrich
parent
fac006e8fd
commit
7fc28dcbb7
|
|
@ -10,11 +10,11 @@ This documentation will use a similar format like the SELinux User's and Adminis
|
|||
|
||||
### <a id="selinux-policy"></a> Policy
|
||||
|
||||
Icinga 2 is providing its own SELinux Policy. At the moment it is not upstreamed to the reference policy because it is under development. Target of the development is a policy package for Red Hat Enterprise Linux 7 and its derivates running the targeted policy which confines Icinga2 with all features and all checks executed.
|
||||
Icinga 2 is providing its own SELinux Policy. At the moment it is not upstreamed to the reference policy because it is under development. Target of the development is a policy package for Red Hat Enterprise Linux 7 and its derivates running the targeted policy which confines Icinga2 with all features and all checks executed.
|
||||
|
||||
### <a id="selinux-policy-installation"></a> Installation
|
||||
|
||||
Later the policy will be installed by a seperate package and this section will be removed. Now it describes the installation to support development and testing. It assumes that Icinga 2 is already installed from packages and running on the system.
|
||||
Later the policy will be installed by a seperate package and this section will be removed. Now it describes the installation to support development and testing. It assumes that Icinga 2 is already installed from packages and running on the system.
|
||||
|
||||
The policy package will run the daemon in a permissive domain so nothing will be denied also if the system runs in enforcing mode, so please make sure to run the system in this mode.
|
||||
|
||||
|
|
@ -36,7 +36,7 @@ As a prerequisite install the `git`, `selinux-policy-devel` and `audit` package.
|
|||
# yum install git selinux-policy-devel audit
|
||||
# systemctl enable auditd.service
|
||||
# systemctl start auditd.service
|
||||
|
||||
|
||||
After that clone the icinga2 git repository and checkout the feature branch.
|
||||
|
||||
# git clone git://git.icinga.org/icinga2.git
|
||||
|
|
@ -47,6 +47,10 @@ To create and install the policy package run the installation script which also
|
|||
# cd icinga2/tools/selinux/
|
||||
# ./icinga.sh
|
||||
|
||||
Some changes to the systemd scripts are also required to handle file contexts correctly. This is at the moment only included in the feature branch, so it has to be copied manually.
|
||||
|
||||
# cp ../../etc/initsystem/{prepare-dirs,safe-reload} /usr/lib/icinga2/
|
||||
|
||||
After that restart Icinga 2 and verify it running in its own domain `icinga2_t`.
|
||||
|
||||
# systemctl restart icinga2.service
|
||||
|
|
@ -55,8 +59,32 @@ After that restart Icinga 2 and verify it running in its own domain `icinga2_t`.
|
|||
|
||||
### <a id="selinux-policy-general"></a> General
|
||||
|
||||
When the SELinux policy package for Icinga 2 is installed, the Icinga 2 daemon (icinga2) runs in its own domain `icinga2_t` and is separated from other confined services.
|
||||
|
||||
Files have to be labeled correctly for allowing icinga2 access to it. For example it writes to its own log files labeled `icinga2_log_t`. Also the API port is labeled `icinga_port_t` and the icinga2 is allowed to manage it. Furthermore icinga2 can open high ports and unix sockets to connect to databases and features like graphite. It executes the nagios plugins and transitions to their context if those are labeled for example `nagios_services_plugin_exec_t` or `nagios_system_plugin_exec_t`.
|
||||
|
||||
Additional the Apache webserver is allowed to connect to the Command pipe of Icinga 2 to allow web interfaces sending commands to icinga2. This will perhaps change later on while investigating Icinga Web 2 for SELinux!
|
||||
|
||||
### <a id="selinux-policy-types"></a> Types
|
||||
|
||||
The command pipe is labeled `icinga2_command_t` and other services can request access to it by using the interface `icinga2_send_commands`.
|
||||
|
||||
The nagios plugins use their own contexts and icinga2 will transition to it. This means plugins have to be labeled correctly for their required permissions. The plugins installed from package should have set their permissions by the corresponding policy module and you can restore them using `restorecon -R -v /usr/lib64/nagios/plugins/`. To label your own plugins use `chcon -t type /path/to/plugin`, for the type have a look at table below.
|
||||
|
||||
Type | Domain | Use case | Provided by policy package
|
||||
----------------------------------------------------------------------------------------------------------------------------------
|
||||
nagios_admin_plugin_exec_t | nagios_admin_plugin_t | Plugins which require require read access on all file attributes | nagios
|
||||
nagios_checkdisk_plugin_exec_t | nagios_checkdisk_plugin_t | Plugins which require read access to all filesystem attributes | nagios
|
||||
nagios_mail_plugin_exec_t | nagios_mail_plugin_t | Plugins which access the local mail service | nagios
|
||||
nagios_services_plugin_exec_t | nagios_services_plugin_t | Plugins monitoring network services | nagios
|
||||
nagios_system_plugin_exec_t | nagios_system_plugin_t | Plugins checking local system state | nagios
|
||||
nagios_unconfined_plugin_exec_t | nagios_unconfined_plugin_t | Plugins running without confinement | nagios
|
||||
nagios_eventhandler_plugin_exec_t | nagios_eventhandler_plugin_t | Eventhandler (actually running unconfined) | nagios
|
||||
nagios_openshift_plugin_exec_t | nagios_openshift_plugin_t | Plugins monitoring openshift | nagios
|
||||
nagios_notification_plugin_exec_t | nagios_notification_plugin_t | Notification commands | icinga (will be moved later)
|
||||
|
||||
If one of those plugin domains causes problems you can set it to permissive by executing `semanage permissive -a domain`.
|
||||
|
||||
### <a id="selinux-policy-examples"></a> Configuration Examples
|
||||
|
||||
## <a id="selinux-bugreports"></a> Bugreports
|
||||
|
|
@ -70,7 +98,7 @@ When filing a bug report please add the following information additionally to th
|
|||
* Output of `ps -eZ | grep icinga2`
|
||||
* Output of `semanage port -l | grep icinga2`
|
||||
* Output of `audit2allow -li /var/log/audit/audit.log`
|
||||
|
||||
|
||||
If access to a file is blocked and you can tell which one please provided the output of `ls -lZ /path/to/file` (and perhaps the directory above).
|
||||
|
||||
If asked for full audit.log add `-w /etc/shadow -p w` to `/etc/audit/rules.d/audit.rules`, restart the audit daemon, reproduce the problem and add `/var/log/audit/audit.log` to the bug report. With the added audit rule it will include the path of files access was denied to.
|
||||
|
|
|
|||
Loading…
Reference in New Issue