FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-20-2011, 07:57 AM
Frederick William New
 
Default Custom SNMP scripts

Hi,

Is there recommended way of setting up custom SNMP (net-snmp) scripts used for monitoring the status of software or hardware RAID, Web site hits, etc.? I created a special directory for them - /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to do. My snmpScripts.te on a server with software RAID looks like this:


module snmpScripts 1.0;

require {
type snmpd_t;
type proc_mdstat_t;
type usr_t;
class file { ioctl execute read open getattr execute_no_trans };
}

#============= snmpd_t ==============

Is there a better or more secure way of doing this?

Fred New
Systems administrator
Elion Ettevőtted AS
Tallinn, Estonia

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-20-2011, 08:59 AM
Dominick Grift
 
Default Custom SNMP scripts

On Tue, 2011-12-20 at 10:57 +0200, Frederick William New wrote:
> Hi,
>
> Is there recommended way of setting up custom SNMP (net-snmp) scripts used for monitoring the status of software or hardware RAID, Web site hits, etc.? I created a special directory for them - /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to do. My snmpScripts.te on a server with software RAID looks like this:

I would probably label /usr/local/snmp/bin/ and anything below type
bin_t. This will atleast stop snmpd_t from executing generic usr files.

Example;

semanage fcontext -a -t bin_t "/usr/local/snmp/bin(/.*)?"
restorecon -R -v /usr/local/snmp/bin

Besides that i guess you would need to allow snmpd_t to
read /proc/mdstat files but you can use audit2allow for that as you did
below.

>
> module snmpScripts 1.0;
>
> require {
> type snmpd_t;
> type proc_mdstat_t;
> type usr_t;
> class file { ioctl execute read open getattr execute_no_trans };
> }
>
> #============= snmpd_t ==============
>
> Is there a better or more secure way of doing this?
>
> Fred New
> Systems administrator
> Elion Ettevőtted AS
> Tallinn, Estonia
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-20-2011, 02:49 PM
Frederick William New
 
Default Custom SNMP scripts

On Tue 2011-12-20 at 11:59 AM, Dominick Grift wrote:
>
> On Tue, 2011-12-20 at 10:57 +0200, Frederick William New wrote:
> > Hi,
> >
> > Is there recommended way of setting up custom SNMP (net-snmp) scripts
> > used for monitoring the status of software or hardware RAID, Web site
> > hits, etc.? I created a special directory for them -
> > /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to
> > do. My snmpScripts.te on a server with software RAID looks like this:
>
> I would probably label /usr/local/snmp/bin/ and anything below type
> bin_t. This will atleast stop snmpd_t from executing generic usr files.
>
> Example;
>
> semanage fcontext -a -t bin_t "/usr/local/snmp/bin(/.*)?"
> restorecon -R -v /usr/local/snmp/bin
>
> Besides that i guess you would need to allow snmpd_t to
> read /proc/mdstat files but you can use audit2allow for that as you did
> below.
>
Thanks, I like it. My snmpScripts.te looks simpler now:

module snmpScripts 1.0;

require {
type snmpd_t;
type proc_mdstat_t;
class file { read ioctl open getattr };
}

#============= snmpd_t ==============
allow snmpd_t proc_mdstat_t:file { read ioctl open getattr };

I notice that I failed to include all of my previous snmpScripts.te. Two allow lines at the bottom were missing - one for usr_t as you mentioned above and the one shown here for proc_mdstat_t.

Fred
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 10:54 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org