Sunday 5 February 2012

SELinux policy to run check_yum

The EPEL repo has lots of good (and SELinux friendy) plugins to run on remote hosts with NRPE. One that is missing is check_yum, which checks that the OS has the latest security patches.
To make that plugin work on CentOS 6, download the script from Nagios Exchange and apply a small change that is described in this comment.

When we try to run this script though nrpe in a SELinux enabled service, it will explode in a million colour pieces, as it tries to access some restricted resources. Here's the output when we try to run it.

[root@host plugins]# ./check_nrpe -H nrpehost.com -c check_yum
UNKNOWN: /usr/bin/yum cannot be found

To make it work, we need to create a selinux policy that will allow nrpe run yum.

Copy the following in a file called ~/nagios-plugin-checkyum.te

#-- Start ~/nagios-plugin-checkyum.te --
module nagios_plugin_checkyum 1.0.3;
 
require {
        type tmp_t;
        type usr_t;
        type boot_t;
        type http_port_t;
        type nrpe_t;
        type rpm_exec_t;
        type rpm_var_lib_t;
        class tcp_socket name_connect;
        class lnk_file read;
        class dir { search read write getattr remove_name open add_name };
        class file { rename execute setattr read lock create ioctl execute_no_trans write getattr unlink open };
}

#============= nrpe_t ==============
allow nrpe_t boot_t:dir { read getattr open };
allow nrpe_t http_port_t:tcp_socket name_connect;
allow nrpe_t rpm_exec_t:file { execute getattr read open ioctl execute_no_trans };
allow nrpe_t rpm_var_lib_t:dir add_name;
allow nrpe_t rpm_var_lib_t:dir { getattr search };
allow nrpe_t rpm_var_lib_t:file create;
allow nrpe_t rpm_var_lib_t:file { read lock getattr open };
allow nrpe_t tmp_t:dir { read write add_name remove_name };
allow nrpe_t tmp_t:file { rename setattr read lock create write getattr unlink open };
allow nrpe_t usr_t:file { read getattr open };
allow nrpe_t usr_t:lnk_file read;

#-- End of ~/nagios-plugin-checkyum.te --

Some of the attributes make sense, for example, to allow nrpe to access an http port and run rpm. Since I'm not a SELinux expert I'm not sure it all the other permissions are ok, but at least, we're assigning this permissions only to the type nrpe_t, which shouldn't open a big hole in SELinux.

Now we need to build the policy as selinux requires binary package. To do so, run the following command on the same directory where you stored the previous file.

make -f /usr/share/selinux/devel/Makefile

This will create a few files, but the one we're interested in is nagios-plugin-checkyum.pp, which is the selinux module. To install it run

semodule -i nagios_plugin_checkyum.pp

After doing this, when we run the check, we get a response.

[root@host plugins]# ./check_nrpe -H nrpehost.com -c check_yum
YUM OK: 0 Security Updates Available. 5 Non-Security Updates Available

It is tricky to get the right policy for this plugin, as some of the selinux warnings when running in permissive mode marked with noaudit, so we need to disable no audit with semodule -DB, capture all the warnings, and then enable noaudit again with semodule -B.

Please share your experience whether this has worked for you.
Posted by at
Labels: , ,

4 comments:

  1. Matthew Sweet11 March 2012 at 00:45

    [root@informer selinux_plugin]# make -f /usr/share/selinux/devel/Makefile
    Compiling targeted nagios-plugin-checkyum module
    /usr/bin/checkmodule: loading policy configuration from tmp/nagios-plugin-checkyum.tmp
    nagios-plugin-checkyum.te":3:ERROR 'Building a policy module, but no module specification found.
    ' at token 'require' on line 1020:
    require {
    #-- Start ~/nagios-plugin-checkyum.te --
    /usr/bin/checkmodule: error(s) encountered while parsing configuration
    make: *** [tmp/nagios-plugin-checkyum.mod] Error 1

    ReplyDelete
  2. Augusto11 March 2012 at 10:36

    Sorry for that! It looks like I deleted line describing the module by mistake. I've updated the post and thanks for the heads up!

    ReplyDelete
  3. NDarkstar17 March 2012 at 00:38

    Compiling works fine, no issues installing. SEL still blocks it though.

    Audit message:

    type=AVC msg=audit(1331943842.899:100168): avc: denied { getattr } for pid=19138 comm="sh" path="/usr/bin/sudo" dev=dm-0 ino=1846512 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
    type=SYSCALL msg=audit(1331943842.899:100168): arch=40000003 syscall=195 success=no exit=-13 a0=8928f90 a1=bfcde7e0 a2=29bff4 a3=8928f90 items=0 ppid=19137 pid=19138 auid=0 uid=494 gid=493 euid=494 suid=494 fsuid=494 egid=493 sgid=493 fsgid=493 tty=(none) ses=4845 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)

    ReplyDelete
    Replies
    1. Augusto27 March 2012 at 20:42

      NDarkstar, if you're using sudo to call the script, you need to follow the instructions in this other blog post: http://codeforthesoul.blogspot.co.uk/2012/02/selinux-policy-to-run-checkyum-with.html. The policy needs an extra few permissions to work with sudo.

      Cheers,
      Augusto

      Delete

Subscribe to: Post Comments (Atom)