SELinux: Create Policy for NRPE Writing

Uncategorized

Had a problem with Nagios/NRPE checks that are configured to write a status file as part of their check. The path /var/logstate was the target created the policy below. Andrew (Urban Penguin) Youtube video is an excellent resource.

Install selinux utilities:

yum install policycoreutils policycoreutils-devel setools-console setroubleshoot

The audit log (/var/log/audit/audit.log) was showing the type=AVC errors such as:

type=AVC msg=audit(1574345305.973:9261953): avc:  denied  { search } for  pid=27339 comm="check_log2.pl" name="someuser" dev=sda9 ino=50855937 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

From that I took the ‘nrpe_t’ type from the source context ‘scontext=unconfined_u:system_r:nrpe_t:s0’ for use in an selinux policy. The logs can also be fed into audit2allow to help with writing the module:

ausearch -m AVC -ts recent  | audit2allow

I named the selinux module ‘nrpe_logstate’ so in a clean directory create the file: nrpe_logstate.te 

policy_module(nrpe_logstate, 1.0)
 require {
   type nrpe_t;
   type nagios_log_t;
   type user_home_dir_t;
   class dir search;
   type unconfined_t;
   type setroubleshootd_t;
 }
 type nrpe_logstate_t;
 fs_associate(nrpe_logstate_t);
 allow setroubleshootd_t nrpe_logstate_t: { dir file} getattr;
 allow unconfined_t nrpe_t: dir { search add_name create open read relabelfrom remove_name rmdir setattr write relabelto  getattr };
 allow unconfined_t nrpe_t: file { ioctl read append create open setattr unlink write relabelto  getattr };
 allow unconfined_t self:dir relabelto;
 allow nrpe_t fs_t:filesystem associate;
 allow nrpe_t nagios_log_t:file { read write };

There is a lot going on there but there are lines for ‘dir’ and ‘file’ that will allow ‘nrpe_t’ & ‘nagios_log_t’ type to open, read, write etc when the context is set.

Create a link in the same directory as the .te file to the Makefile:

ln -s /usr/share/selinux/devel/Makefile .

Then run make:

make

The .pp file should be generated and can be imported with:

semodule -i nrpe_logstate.pp

To remove the policy module (if you need to re-make) you could use

semodule -r nrpe_logstate

And set one of the types from the policy on the directory that needs those permissions:

chcon -R -t nagios_log_t /var/logstate/

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>