-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added SELinux module draft #1452
base: master
Are you sure you want to change the base?
Conversation
Added SELinux module draft - to use the plugin in Enforcing mode
Fixed markup
Current coverage is 89.36%
@@ master #1452 diff @@
==========================================
Files 68 68
Lines 7217 7217
Methods 0 0
Messages 0 0
Branches 997 997
==========================================
Hits 6449 6449
Misses 601 601
Partials 167 167
|
} | ||
|
||
#============= nrpe_t ============== | ||
allow nrpe_t admin_home_t:file execute; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
admin_home_t is the label for /root , does it really require access to /root ? isn't this because the script was copied to /root where it should really not be there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right. I missed restoring the SELinux file context after moving the script to the Nagios plugins directory.. 😞
Removing the admin_home_t
lines and restoring the context did the trick - now, the TE looks like this:
module nrpe_fail2ban 1.0;
require {
type nrpe_t;
class unix_dgram_socket sendto;
class file execute;
class file getattr;
class file { read getattr open };
class file execute_no_trans;
type fail2ban_client_exec_t;
class file { ioctl getattr };
class file { read open };
class file execute_no_trans;
type fail2ban_var_run_t;
class sock_file write;
class file ioctl;
type fail2ban_t;
class unix_stream_socket connectto;
}
#============= nrpe_t ==============
allow nrpe_t self:unix_dgram_socket sendto;
allow nrpe_t fail2ban_client_exec_t:file getattr;
allow nrpe_t fail2ban_client_exec_t:file execute;
allow nrpe_t fail2ban_client_exec_t:file { read open };
allow nrpe_t fail2ban_client_exec_t:file execute_no_trans;
allow nrpe_t fail2ban_client_exec_t:file ioctl;
allow nrpe_t fail2ban_var_run_t:sock_file write;
allow nrpe_t fail2ban_t:unix_stream_socket connectto;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still think your policy could just be:
module nrpe_fail2ban 1.0;
fail2ban_run_client(nrpe_t)
and should be added to upstream tresys/repolicy-contrib/fail2ban.te
maybe the finaly fix could even be added to upstream (https://github.com/TresysTechnology/refpolicy-contrib/blob/master/fail2ban.te) directly |
fe8a9d2
to
9d77fb2
Compare
Hey folks,
great that you're offering a Nagios / Icinga plugin for fail2ban.
On CentOS I had some problems getting this plugin running in combination with SELinux in Enforcing mode. There was no pre-existing SELinux module for the check_fail2ban utility - so I created one. Works like a charm in my lab.
Maybe this can help somebody out there - took some time for troubleshooting and fixing.