[SOLVED] SElinux and munin
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Re: SElinux and munin [SOLVED]
Done. Thanks for reporting back.
Re: SElinux and munin [SOLVED]
Like the OP, I had trouble with several munin plugins (one from the lamented "munin exchange" and the others from the EPEL package) after updating to CentOS 6.2 a month ago.
I wanted to post my solution but didn't get around to it until now. Apologies to anyone who might have benefitted from the information if I had posted it earlier but here's for posterity:
[code]module munin_fix 1.0;
require {
type cyrus_var_lib_t;
type munin_disk_plugin_t;
type samba_var_t;
type admin_home_t;
type munin_t;
type munin_services_plugin_t;
type smbd_t;
type var_lib_t;
class process { siginh noatsecure signull rlimitinh };
class capability { dac_read_search dac_override };
class file { read getattr open };
class dir { getattr read open search };
}
#============= munin_disk_plugin_t ==============
allow munin_disk_plugin_t var_lib_t:dir search;
#============= munin_services_plugin_t ==============
allow munin_services_plugin_t admin_home_t:dir getattr;
allow munin_services_plugin_t cyrus_var_lib_t:dir { read search open getattr };
allow munin_services_plugin_t samba_var_t:dir { getattr search };
allow munin_services_plugin_t samba_var_t:file { read getattr open };
allow munin_services_plugin_t self:capability { dac_read_search dac_override };
allow munin_services_plugin_t smbd_t:process signull;
#============= munin_t ==============
allow munin_t munin_disk_plugin_t:process { siginh rlimitinh noatsecure };
allow munin_t munin_services_plugin_t:process { siginh rlimitinh noatsecure };[/code]
I'm not sure all these are needed. I'm unsure about the dac_* stuff in particular. Getting this list was tedious enough and I didn't bother to try trimming it.
I had to use semodule -DB to get at some of the audit messages I used.
Questions and suggestions are of course welcome.
I wanted to post my solution but didn't get around to it until now. Apologies to anyone who might have benefitted from the information if I had posted it earlier but here's for posterity:
[code]module munin_fix 1.0;
require {
type cyrus_var_lib_t;
type munin_disk_plugin_t;
type samba_var_t;
type admin_home_t;
type munin_t;
type munin_services_plugin_t;
type smbd_t;
type var_lib_t;
class process { siginh noatsecure signull rlimitinh };
class capability { dac_read_search dac_override };
class file { read getattr open };
class dir { getattr read open search };
}
#============= munin_disk_plugin_t ==============
allow munin_disk_plugin_t var_lib_t:dir search;
#============= munin_services_plugin_t ==============
allow munin_services_plugin_t admin_home_t:dir getattr;
allow munin_services_plugin_t cyrus_var_lib_t:dir { read search open getattr };
allow munin_services_plugin_t samba_var_t:dir { getattr search };
allow munin_services_plugin_t samba_var_t:file { read getattr open };
allow munin_services_plugin_t self:capability { dac_read_search dac_override };
allow munin_services_plugin_t smbd_t:process signull;
#============= munin_t ==============
allow munin_t munin_disk_plugin_t:process { siginh rlimitinh noatsecure };
allow munin_t munin_services_plugin_t:process { siginh rlimitinh noatsecure };[/code]
I'm not sure all these are needed. I'm unsure about the dac_* stuff in particular. Getting this list was tedious enough and I didn't bother to try trimming it.
I had to use semodule -DB to get at some of the audit messages I used.
Questions and suggestions are of course welcome.