Added SELinux module draft #1452
Conversation
Added SELinux module draft - to use the plugin in Enforcing mode
Fixed markup
Current coverage is 89.36%
@@ master #1452 diff @@
==========================================
Files 68 68
Lines 7217 7217
Methods 0 0
Messages 0 0
Branches 997 997
==========================================
Hits 6449 6449
Misses 601 601
Partials 167 167
|
| } | ||
|
|
||
| #============= nrpe_t ============== | ||
| allow nrpe_t admin_home_t:file execute; |
There was a problem hiding this comment.
admin_home_t is the label for /root , does it really require access to /root ? isn't this because the script was copied to /root where it should really not be there?
There was a problem hiding this comment.
You're right. I missed restoring the SELinux file context after moving the script to the Nagios plugins directory.. 😞
Removing the admin_home_t lines and restoring the context did the trick - now, the TE looks like this:
module nrpe_fail2ban 1.0;
require {
type nrpe_t;
class unix_dgram_socket sendto;
class file execute;
class file getattr;
class file { read getattr open };
class file execute_no_trans;
type fail2ban_client_exec_t;
class file { ioctl getattr };
class file { read open };
class file execute_no_trans;
type fail2ban_var_run_t;
class sock_file write;
class file ioctl;
type fail2ban_t;
class unix_stream_socket connectto;
}
#============= nrpe_t ==============
allow nrpe_t self:unix_dgram_socket sendto;
allow nrpe_t fail2ban_client_exec_t:file getattr;
allow nrpe_t fail2ban_client_exec_t:file execute;
allow nrpe_t fail2ban_client_exec_t:file { read open };
allow nrpe_t fail2ban_client_exec_t:file execute_no_trans;
allow nrpe_t fail2ban_client_exec_t:file ioctl;
allow nrpe_t fail2ban_var_run_t:sock_file write;
allow nrpe_t fail2ban_t:unix_stream_socket connectto;
There was a problem hiding this comment.
I still think your policy could just be:
module nrpe_fail2ban 1.0;
fail2ban_run_client(nrpe_t)
and should be added to upstream tresys/repolicy-contrib/fail2ban.te
|
maybe the finaly fix could even be added to upstream (https://github.com/TresysTechnology/refpolicy-contrib/blob/master/fail2ban.te) directly |
fe8a9d2
to
9d77fb2
Compare
Hey folks,
great that you're offering a Nagios / Icinga plugin for fail2ban.
On CentOS I had some problems getting this plugin running in combination with SELinux in Enforcing mode. There was no pre-existing SELinux module for the check_fail2ban utility - so I created one. Works like a charm in my lab.
Maybe this can help somebody out there - took some time for troubleshooting and fixing.