Improve SELinux policy

fixes #4781 Signed-off-by: Michael Friedrich <michael.friedrich@icinga.com>
2016-11-11 14:16:26 +00:00 · 2016-11-11 14:16:26 +00:00 · bb01dbd953
parent d725897000
commit bb01dbd953
5 changed files with 64 additions and 17 deletions
--- a/doc/21-selinux.md
+++ b/doc/21-selinux.md
@ -4,19 +4,19 @@

 SELinux is a mandatory access control (MAC) system on Linux which adds a fine granular permission system for access to all resources on the system such as files, devices, networks and inter-process communication.

-The most important questions are answered briefly in the [FAQ of the SELinux Project](http://selinuxproject.org/page/FAQ). For more details on SELinux and how to actually use and administrate it on your systems have a look at [Red Hat Enterprise Linux 7 - SELinux User's and Administrator's Guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html). For an simplified (and funny) introduction download the [SELinux Coloring Book](https://github.com/mairin/selinux-coloring-book).
+The most important questions are answered briefly in the [FAQ of the SELinux Project](http://selinuxproject.org/page/FAQ). For more details on SELinux and how to actually use and administrate it on your systems have a look at [Red Hat Enterprise Linux 7 - SELinux User's and Administrator's Guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html). For a simplified (and funny) introduction download the [SELinux Coloring Book](https://github.com/mairin/selinux-coloring-book).

 This documentation will use a similar format like the SELinux User's and Administrator's Guide.

 ### <a id="selinux-policy"></a> Policy

-Icinga 2 is providing its own SELinux Policy. At the moment it is not upstreamed to the reference policy because it is under development. Target of the development is a policy package for Red Hat Enterprise Linux 7 and its derivates running the targeted policy which confines Icinga2 with all features and all checks executed. All other distributions will require some tweaks.
+Icinga 2 is providing its own SELinux policy. Development target is a policy package for Red Hat Enterprise Linux 7 and its derivatives running the targeted policy which confines Icinga 2 with all features and all checks executed. All other distributions will require some tweaks.

 ### <a id="selinux-policy-installation"></a> Installation

 There are two ways to install the SELinux Policy for Icinga 2 on Enterprise Linux 7. Installing it from the provided package which is the preferred option and manual installation if you need some fixes not released yet or for development.

-The policy package will run the daemon in a permissive domain so nothing will be denied also if the system runs in enforcing mode, so please make sure to run the system in this mode.
+If the system runs in enforcing mode, you can still set icinga2 to run its domain permissive if problems occur, so please make sure to run the system in this mode.

    # sestatus
    SELinux status:                 enabled
@ -33,9 +33,7 @@ You can change the configured mode by editing `/etc/selinux/config` and the curr

 #### <a id="selinux-policy-installation-package"></a> Package installation

-The packages are provided with release version 2.4 onwards.
-
-Simply add the selinux subpackage to your installation.
+Simply add the `icinga2-selinux` package to your installation.

    # yum install icinga2-selinux

@ -76,7 +74,7 @@ When the SELinux policy package for Icinga 2 is installed, the Icinga 2 daemon (

 Files have to be labeled correctly for allowing icinga2 access to it. For example it writes to its own log files labeled `icinga2_log_t`. Also the API port is labeled `icinga_port_t` and icinga2 is allowed to manage it. Furthermore icinga2 can open high ports and unix sockets to connect to databases and features like graphite. It executes the nagios plugins and transitions to their context if those are labeled for example `nagios_services_plugin_exec_t` or `nagios_system_plugin_exec_t`.

-Additional the Apache webserver is allowed to connect to the Command pipe of Icinga 2 to allow web interfaces sending commands to icinga2. This will perhaps change later on while investigating Icinga Web 2 for SELinux!
+Additional the Apache web server is allowed to connect to the Command pipe of Icinga 2 to allow web interfaces sending commands to icinga2. This will perhaps change later on while investigating Icinga Web 2 for SELinux!

 ### <a id="selinux-policy-types"></a> Types

@ -108,8 +106,22 @@ SELinux is based on the least level of access required for a service to run. Usi

 Having this boolean enabled allows icinga2 to connect to all ports. This can be neccesary if you use features which connect to unconfined services.

+**httpd_can_write_icinga2_command** 
+
+Having this boolean enabled allows httpd to write to the command pipe of icinga2. This is enabled by default, if not needed you can disable it for more security.
+
+**httpd_can_connect_icinga2_api** 
+
+Having this boolean enabled allows httpd to connect to the API of icinga2 (Ports labeled icinga2_port_t). This is enabled by default, if not needed you can disable it for more security.
+
 ### <a id="selinux-policy-examples"></a> Configuration Examples

+#### <a id="selinux-policy-examples-permissive"></a> Run the icinga2 service permissive
+
+If problems occur while running the system in enforcing mode and those problems are only caused by the policy of the icinga2 domain, you can set this domain to permissive instead of the complete system. This can be done by executing `semanage permissive -a icinga2_t`.
+
+Make sure to report the bugs in the policy afterwards.
+
 #### <a id="selinux-policy-examples-plugin"></a> Confining a plugin

 Download and install a plugin, for example check_mysql_health.
@ -140,7 +152,7 @@ You are running graphite on a different port than `2003` and want `icinga2` to c

 Change the port value for the graphite feature according to your graphite installation before enabling it.

-    # cat /etc/icinga2/features-enabled/graphite.conf 
+    # cat /etc/icinga2/features-enabled/graphite.conf
    /**
     * The GraphiteWriter type writes check result metrics and
     * performance data to a graphite tcp socket.
@ -217,7 +229,7 @@ Now try the commands again without providing the role and type and they will wor

 If you experience any problems while running in enforcing mode try to reproduce it in permissive mode. If the problem persists it is not related to SELinux because in permissive mode SELinux will not deny anything.

-For now Icinga 2 is running in a permissive domain and adds also some rules for other necessary services so no problems should occure at all. But you can help to enhance the policy by testing Icinga 2 running confined by SELinux.
+After some feedback Icinga 2 is now running in a enforced domain, but still adds also some rules for other necessary services so no problems should occure at all. But you can help to enhance the policy by testing Icinga 2 running confined by SELinux.

 Please add the following information to [bug reports](https://www.icinga.com/community/get-involved/):

--- a/tools/selinux/icinga2.fc
+++ b/tools/selinux/icinga2.fc
@ -4,9 +4,10 @@

 /etc/icinga2(/.*)?		gen_context(system_u:object_r:icinga2_etc_t,s0)

-/etc/icinga2/scripts(/.*)?	gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0)
+/etc/icinga2/scripts(/.*)?	 --	gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0)

 /usr/sbin/icinga2		--	gen_context(system_u:object_r:icinga2_exec_t,s0)
+/usr/lib64/icinga2/sbin/icinga2		--	gen_context(system_u:object_r:icinga2_exec_t,s0)

 /var/lib/icinga2(/.*)?		gen_context(system_u:object_r:icinga2_var_lib_t,s0)

--- a/tools/selinux/icinga2.if
+++ b/tools/selinux/icinga2.if
@ -432,3 +432,21 @@ interface(`icinga2adm_execstrans',`
 	allow $2 icinga2adm_t:process sigchld;
 	role_transition icinga2adm_r $1 system_r;
 ')
+
+########################################
+## <summary>
+##      Make a TCP connection to the icinga2 port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_icinga2_port',`
+        gen_require(`
+                type icinga2_port_t;
+        ')
+
+        allow $1 icinga2_port_t:tcp_socket name_connect;
+')
--- a/tools/selinux/icinga2.sh
+++ b/tools/selinux/icinga2.sh
@ -46,6 +46,7 @@ make -f /usr/share/selinux/devel/Makefile icinga2.pp || exit
 sepolicy manpage -p . -d icinga2_t
 # Fixing the file context on /usr/sbin/icinga2
 /sbin/restorecon -F -R -v /usr/sbin/icinga2
+/sbin/restorecon -F -R -v /usr/lib64/icinga2/sbin/icinga2
 # Fixing the file context on /etc/rc\.d/init\.d/icinga2
 #/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2
 # Fixing the file context on /usr/lib/systemd/system/icinga2.*
@ -63,10 +64,6 @@ sepolicy manpage -p . -d icinga2_t
 # Fixing the file context on /var/spool/icinga2
 /sbin/restorecon -F -R -v /var/spool/icinga2

-# Fix dir permissions until we have it in the package
-chown root /etc/icinga2
-chown root /etc/icinga2/init.conf
-
 # Label the port 5665
 /sbin/semanage port -a -t icinga2_port_t -p tcp 5665

--- a/tools/selinux/icinga2.te
+++ b/tools/selinux/icinga2.te
@ -11,6 +11,8 @@ policy_module(icinga2, 0.1.3)
 ## </p>
 ## </desc>
 gen_tunable(icinga2_can_connect_all, false)
+gen_tunable(httpd_can_connect_icinga2_api, true)
+gen_tunable(httpd_can_write_icinga2_command, true)

 require {
 	type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t;
@ -29,7 +31,7 @@ type icinga2_t;
 type icinga2_exec_t;
 init_daemon_domain(icinga2_t, icinga2_exec_t)

-permissive icinga2_t;
+#permissive icinga2_t;

 type icinga2_initrc_exec_t;
 init_script_file(icinga2_initrc_exec_t)
@ -71,6 +73,7 @@ corenet_port(icinga2_port_t)
 allow icinga2_t self:capability { setgid setuid sys_resource };
 allow icinga2_t self:process { setsched signal setrlimit };
 allow icinga2_t self:fifo_file rw_fifo_file_perms;
+allow icinga2_t self:unix_dgram_socket create_socket_perms;
 allow icinga2_t self:unix_stream_socket create_stream_socket_perms;

 list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
@ -114,7 +117,11 @@ auth_use_nsswitch(icinga2_t)

 miscfiles_read_localization(icinga2_t)

-corecmd_check_exec_shell(icinga2_t)
+corecmd_exec_shell(icinga2_t)
+corecmd_exec_bin(icinga2_t)
+
+kernel_read_system_state(icinga2_t)
+kernel_read_network_state(icinga2_t)

 # should be moved to nagios_plugin_template in nagios.if
 icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t)
@ -129,6 +136,7 @@ icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
 # should be moved nagios.te
 nagios_plugin_template(notification)
 icinga2_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
+allow nagios_notification_plugin_t icinga2_etc_t:dir search;
 allow nagios_notification_plugin_t nagios_notification_plugin_exec_t:dir search;
 #permissive nagios_notification_plugin_t;
 corecmd_exec_bin(nagios_notification_plugin_t)
@ -155,6 +163,8 @@ postgresql_tcp_connect(icinga2_t)
 # graphite is using port 2003 which is lmtp_port_t
 corenet_tcp_connect_lmtp_port(icinga2_t)

+# This is for other feature that do not use a confined port
+# or if you run one one with a non standard port.
 tunable_policy(`icinga2_can_connect_all',`
 	corenet_tcp_connect_all_ports(icinga2_t)
 ')
@ -166,7 +176,16 @@ tunable_policy(`icinga2_can_connect_all',`

 optional_policy(`
 	# should be a boolean in apache-policy
-	icinga2_send_commands(httpd_t)
+	tunable_policy(`httpd_can_write_icinga2_command',`
+		icinga2_send_commands(httpd_t)
+	')
+')
+
+optional_policy(`
+	# should be a boolean in apache-policy
+	tunable_policy(`httpd_can_connect_icinga2_api',`
+		corenet_tcp_connect_icinga2_port(httpd_t)
+	')
 ')

 ########################################