Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Custom SNMP scripts (http://www.linux-archive.org/fedora-selinux-support/611980-custom-snmp-scripts.html)

Frederick William New 12-20-2011 07:57 AM

Custom SNMP scripts
 
Hi,

Is there recommended way of setting up custom SNMP (net-snmp) scripts used for monitoring the status of software or hardware RAID, Web site hits, etc.? I created a special directory for them - /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to do. My snmpScripts.te on a server with software RAID looks like this:


module snmpScripts 1.0;

require {
type snmpd_t;
type proc_mdstat_t;
type usr_t;
class file { ioctl execute read open getattr execute_no_trans };
}

#============= snmpd_t ==============

Is there a better or more secure way of doing this?

Fred New
Systems administrator
Elion Ettevőtted AS
Tallinn, Estonia

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 12-20-2011 08:59 AM

Custom SNMP scripts
 
On Tue, 2011-12-20 at 10:57 +0200, Frederick William New wrote:
> Hi,
>
> Is there recommended way of setting up custom SNMP (net-snmp) scripts used for monitoring the status of software or hardware RAID, Web site hits, etc.? I created a special directory for them - /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to do. My snmpScripts.te on a server with software RAID looks like this:

I would probably label /usr/local/snmp/bin/ and anything below type
bin_t. This will atleast stop snmpd_t from executing generic usr files.

Example;

semanage fcontext -a -t bin_t "/usr/local/snmp/bin(/.*)?"
restorecon -R -v /usr/local/snmp/bin

Besides that i guess you would need to allow snmpd_t to
read /proc/mdstat files but you can use audit2allow for that as you did
below.

>
> module snmpScripts 1.0;
>
> require {
> type snmpd_t;
> type proc_mdstat_t;
> type usr_t;
> class file { ioctl execute read open getattr execute_no_trans };
> }
>
> #============= snmpd_t ==============
>
> Is there a better or more secure way of doing this?
>
> Fred New
> Systems administrator
> Elion Ettevőtted AS
> Tallinn, Estonia
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Frederick William New 12-20-2011 02:49 PM

Custom SNMP scripts
 
On Tue 2011-12-20 at 11:59 AM, Dominick Grift wrote:
>
> On Tue, 2011-12-20 at 10:57 +0200, Frederick William New wrote:
> > Hi,
> >
> > Is there recommended way of setting up custom SNMP (net-snmp) scripts
> > used for monitoring the status of software or hardware RAID, Web site
> > hits, etc.? I created a special directory for them -
> > /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to
> > do. My snmpScripts.te on a server with software RAID looks like this:
>
> I would probably label /usr/local/snmp/bin/ and anything below type
> bin_t. This will atleast stop snmpd_t from executing generic usr files.
>
> Example;
>
> semanage fcontext -a -t bin_t "/usr/local/snmp/bin(/.*)?"
> restorecon -R -v /usr/local/snmp/bin
>
> Besides that i guess you would need to allow snmpd_t to
> read /proc/mdstat files but you can use audit2allow for that as you did
> below.
>
Thanks, I like it. My snmpScripts.te looks simpler now:

module snmpScripts 1.0;

require {
type snmpd_t;
type proc_mdstat_t;
class file { read ioctl open getattr };
}

#============= snmpd_t ==============
allow snmpd_t proc_mdstat_t:file { read ioctl open getattr };

I notice that I failed to include all of my previous snmpScripts.te. Two allow lines at the bottom were missing - one for usr_t as you mentioned above and the one shown here for proc_mdstat_t.

Fred
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 06:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.