icingaweb2/doc/90-SELinux.md

120 lines
5.7 KiB
Markdown

# SELinux <a id="selinux"></a>
## Introduction <a id="selinux-introduction"></a>
SELinux is a mandatory access control (MAC) system on Linux which adds a fine granular permission system for access
to all resources on the system such as files, devices, networks and inter-process communication.
The most important questions are answered briefly in the [FAQ of the SELinux Project](http://selinuxproject.org/page/FAQ).
For more details on SELinux and how to actually use and administrate it on your systems have a look at
[Red Hat Enterprise Linux 7 - SELinux User's and Administrator's Guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html).
For a simplified (and funny) introduction download the [SELinux Coloring Book](https://github.com/mairin/selinux-coloring-book).
## Policy <a id="selinux-policy"></a>
Icinga Web 2 is providing its own SELinux policy for Red Hat Enterprise Linux 7 and its derivates running the targeted
policy which confines Icinga Web 2 with support for all its modules. All other distributions will require some tweaks.
It is not upstreamed to the reference policies yet.
The policy for Icinga Web 2 will also require the policy for Icinga 2 which provides access to its interfaces.
It covers only the scenario running Icinga Web 2 in Apache HTTP Server with mod_php.
## Installation <a id="selinux-policy-installation"></a>
There are two ways to install the SELinux Policy for Icinga Web 2 on Enterprise Linux 7.
Either install it from the provided package which is the preferred option or intall the policy manually, if you need
fixes which are not yet released.
Verify that the system runs in enforcing mode.
sestatus
# SELinux status: enabled
# SELinuxfs mount: /sys/fs/selinux
# SELinux root directory: /etc/selinux
# Loaded policy name: targeted
# Current mode: enforcing
# Mode from config file: enforcing
# Policy MLS status: enabled
# Policy deny_unknown status: allowed
# Max kernel policy version: 28
If problems occur, you can set icinga2 or httpd to run to run its domain in permissive mode.
You can change the configured mode by editing `/etc/selinux/config` and the current mode by executing `setenforce 0`.
### Package installation <a id="selinux-policy-installation-package"></a>
Simply add the `selinux` subpackage to your installation.
yum install icingaweb2-selinux
### Manual installation <a id="selinux-policy-installation-manual"></a>
This section describes the manual installation to support development and testing.
As a prerequisite install the `git`, `selinux-policy-devel` and `audit` package. Enable and start the audit daemon
afterwards.
yum install git selinux-policy-devel audit
systemctl enable auditd.service
systemctl start auditd.service
To create and install the policy package run the installation script from the Icinga Web 2 source which also labels the
resources.
cd packages/selinux/
./icingaweb2.sh
Verify that Apache runs in its own domain `httpd_t` and the Icinga Web 2 configuration has its own context
`icingaweb2_config_t`.
ps -eZ | grep http
# system_u:system_r:httpd_t:s0 9785 ? 00:00:00 httpd
ls -ldZ /etc/icingaweb2/
# drwxrws---. root icingaweb2 system_u:object_r:icingaweb2_config_t:s0 /etc/icingaweb2/
## General <a id="selinux-policy-general"></a>
When the SELinux policy package for Icinga Web 2 is installed, it creates its own type of apache content and labels its
configuration `icingaweb2_config_t` to allow confining access to it.
## Types <a id="selinux-policy-types"></a>
The configuration is labeled `icingaweb2_config_t` and other services can request access to it by using the interfaces
`icingaweb2_read_config` and `icingaweb2_manage_config`.
Files requiring read access are labeled `icingaweb2_content_t`. Files requiring write access are labeled
`icingaweb2_rw_content_t`.
## Booleans <a id="selinux-policy-booleans"></a>
SELinux is based on the least level of access required for a service to run. Using booleans you can grant more access in
a defined way. The Icinga Web 2 policy package provides the following booleans.
**httpd_can_manage_icingaweb2_config**
Having this boolean enabled allows httpd to write to the configuration labeled `icingaweb2_config_t`. This is enabled by
default. If not needed, you can disable it for more security. But this will disable all web based configuration of
Icinga Web 2.
## Bugreports <a id="selinux-bugreports"></a>
If you experience any problems while running SELinux in enforcing mode try to reproduce it in permissive mode. If the
problem persists, it is not related to SELinux because in permissive mode SELinux will not deny anything.
When filing a bug report please add the following information additionally to the
[common ones](https://www.icinga.com/icinga/faq/):
* Output of `semodule -l | grep -e icinga2 -e icingaweb2 -e nagios -e apache`
* Output of `semanage boolean -l | grep icinga`
* Output of `ps -eZ | grep httpd`
* Output of `audit2allow -li /var/log/audit/audit.log`
If access to a file is blocked and you can tell which one, please provided the output of `ls -lZ /path/to/file` and the
directory above.
If asked for full audit.log, add `-w /etc/shadow -p w` to `/etc/audit/rules.d/audit.rules` and restart the audit daemon.
Reproduce the problem and add `/var/log/audit/audit.log` to the bug report. The added audit rule includes
the path of files where access was denied.
If asked to provide full audit log with dontaudit rules disabled, execute `semodule -DB` before reproducing the problem.
After that enable the rules again to prevent auditd spamming your logfile by executing `semodule -B`.