[SOLVED] SElinux and munin

Support for security such as Firewalls and securing linux
pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: SElinux and munin [SOLVED]

Post by pschaff » 2012/01/29 15:13:37

Done. Thanks for reporting back.

h_fat
Posts: 48
Joined: 2007/04/13 17:23:48

Re: SElinux and munin [SOLVED]

Post by h_fat » 2012/02/03 17:24:39

Like the OP, I had trouble with several munin plugins (one from the lamented "munin exchange" and the others from the EPEL package) after updating to CentOS 6.2 a month ago.
I wanted to post my solution but didn't get around to it until now. Apologies to anyone who might have benefitted from the information if I had posted it earlier but here's for posterity:

[code]module munin_fix 1.0;

require {
type cyrus_var_lib_t;
type munin_disk_plugin_t;
type samba_var_t;
type admin_home_t;
type munin_t;
type munin_services_plugin_t;
type smbd_t;
type var_lib_t;
class process { siginh noatsecure signull rlimitinh };
class capability { dac_read_search dac_override };
class file { read getattr open };
class dir { getattr read open search };
}

#============= munin_disk_plugin_t ==============

allow munin_disk_plugin_t var_lib_t:dir search;

#============= munin_services_plugin_t ==============

allow munin_services_plugin_t admin_home_t:dir getattr;

allow munin_services_plugin_t cyrus_var_lib_t:dir { read search open getattr };

allow munin_services_plugin_t samba_var_t:dir { getattr search };

allow munin_services_plugin_t samba_var_t:file { read getattr open };

allow munin_services_plugin_t self:capability { dac_read_search dac_override };

allow munin_services_plugin_t smbd_t:process signull;

#============= munin_t ==============

allow munin_t munin_disk_plugin_t:process { siginh rlimitinh noatsecure };

allow munin_t munin_services_plugin_t:process { siginh rlimitinh noatsecure };[/code]

I'm not sure all these are needed. I'm unsure about the dac_* stuff in particular. Getting this list was tedious enough and I didn't bother to try trimming it.
I had to use semodule -DB to get at some of the audit messages I used.
Questions and suggestions are of course welcome.

Post Reply