search

patrickpr / trapdirector

Icingaweb2 module for receiving and handling snmp traps
GNU General Public License v3.0
53 stars 15 forks source link

SELinux support #37

Closed robdevops closed 4 years ago

robdevops commented 4 years ago

This PR allows trapdirector to run under SELinux. SELinux support is important, especially as the Icinga project takes care to ship with SELinux policies (see here).

$selinux_state = '';
if(is_executable('/usr/sbin/getenforce')) {
    $selinux_state = exec('/usr/sbin/getenforce 2>/dev/null');
}

if($selinux_state !== 'Enforcing') {
    // do stuff
}
module trapdirector 1.0;

require {
        class file { getattr open read execute map };
        class process execmem;
        class tcp_socket name_connect;
        type httpd_sys_rw_content_t;
        type hugetlbfs_t;
        type mysqld_port_t;
        type snmpd_t;
}

#============= snmpd_t ==============
allow snmpd_t httpd_sys_rw_content_t:file { getattr map read open};
allow snmpd_t hugetlbfs_t:file { execute read map };
allow snmpd_t mysqld_port_t:tcp_socket name_connect;
allow snmpd_t self:process execmem;

It can be compiled and installed like this:

checkmodule -M -m -o trapdirector.mod trapdirector.te

semodule_package -o trapdirector.pp -m trapdirector.mod

semodule -i trapdirector.pp

Confirm it is installed with semodule -l Uninstall with semodule -r trapdirector

patrickpr commented 4 years ago

Hi,

Again, thanks for your work, I like the idea. I will review this during the week end.

robdevops commented 4 years ago

I've had to rework this, since discovering checkmodule and semodule_package are not available in a minimal CentOS install.

Option 1: Ship the binary and just do the semodule -i part. For transparency, the binary can be audited like this:

semodule_unpackage trapdirector.pp temp.mod

sedismod temp.mod

Select a command:
1)  display unconditional AVTAB

[...]

Command ('m' for menu):  1

unconditional avtab:
--- begin avrule block ---
decl 1:
  allow [snmpd_t] [httpd_sys_rw_content_t] : [file] { getattr open read map };
  allow [snmpd_t] [hugetlbfs_t] : [file] { read execute map };
  allow [snmpd_t] [mysqld_port_t] : [tcp_socket] { name_connect };
  allow [snmpd_t] self : [process] { execmem };

Option 2: Use the new module format (.cil). This format is ASCII, but is not supported before CentOS 7.3.

Create .cil: checkmodule -C -m -o trapdirector.cil trapdirector.te

cat trapdirector.cil

(typeattributeset cil_gen_require httpd_sys_rw_content_t)
(typeattributeset cil_gen_require hugetlbfs_t)
(typeattributeset cil_gen_require mysqld_port_t)
(typeattributeset cil_gen_require snmpd_t)
(allow snmpd_t httpd_sys_rw_content_t (file (getattr open read map)))
(allow snmpd_t hugetlbfs_t (file (read execute map)))
(allow snmpd_t mysqld_port_t (tcp_socket (name_connect)))
(allow snmpd_t self (process (execmem)))

semodule -i trapdirector.cil

As tempting as it is to use .cil, I think this should be reserved for 2024 when CentOS 7 is end of life. Since the .pp can be audited (as above), I have gone with Option 1 in the latest commit.

patrickpr commented 4 years ago

I could dive into more obscure distros (openSUSE, Hardened Gentoo) if you like.

No, main distros (RH/Ubuntu) are enough for validation.

I'm currently trying to extend testing with travis CI for this.

SiliconAlley commented 4 years ago

Many thanks robdevops,

I had this on my list for a long time but wasn't able to solve it by myself. After importing your policy package on our CentOS minimal install the snmptrapd also shows green.

/Thomas

robdevops commented 4 years ago

Many thanks robdevops,

I had this on my list for a long time but wasn't able to solve it by myself. After importing your policy package on our CentOS minimal install the snmptrapd also shows green.

/Thomas

You're welcome. I recommend installing setroubleshoot-server. This will put human readable warnings and recommendations in /var/log/messages.