System Monitoring with Xymon/Selinux
This example shows how to create and install an SELinux policy under CentOS 5.5 suitable for running Xymon.
The current version of Xymon will, by default, install in /home/xymon.
Xymon consists of CGI and setuid programs and scripts which read, write and create files and directories within the Xymon directories.
Directories under /home are typically considered user directories by SELinux, and normally are set up to prevent the web browser from reading, writing, creating, and deleting user files and directories.
To get around this, we can create a new type (xymon_t) and a corresponding policy (xymon) which gives the web server (httpd_t) and the root user (unconfined_t) the access required to run Xymon without giving Xymon full access to all user directories.
After the policy is loaded, then the installation location of Xymon (/home/xymon) must be relabeled.
First create the file xymon.te:
#begin
module xymon 1.0;
type xymon_t;
require {
type ping_t;
type ifconfig_t;
type mount_t;
type initrc_t;
type unconfined_t;
type unconfined_mount_t;
type restorecond_t;
type fs_t;
type httpd_t;
type xymon_t;
type port_t;
type httpd_sys_script_t;
type var_t;
type usr_t;
type var_log_t;
type unconfined_mount_t;
class filesystem associate;
class lnk_file { relabelto relabelfrom read getattr write unlink create setattr };
class dir { relabelto relabelfrom getattr search write read remove_name add_name create setattr rmdir };
class file { relabelto relabelfrom getattr execute execute_no_trans read write ioctl append unlink create rename lock setattr link };
class tcp_socket name_connect;
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t usr_t:file execute;
#============= unconfined_t ==============
allow unconfined_t xymon_t:lnk_file { relabelto relabelfrom read create getattr write unlink setattr };
allow unconfined_t xymon_t:dir { getattr search relabelto relabelfrom write read remove_name add_name create setattr rmdir };
allow unconfined_t xymon_t:file { getattr execute relabelto relabelfrom execute_no_trans read write ioctl append unlink create rename lock setattr link };
#============= xymon_t ==============
allow xymon_t fs_t:filesystem associate;
#============= httpd_t ==============
allow httpd_t xymon_t:lnk_file { read create getattr write unlink setattr };
allow httpd_t xymon_t:dir { getattr search read write add_name remove_name create setattr rmdir };
allow httpd_t xymon_t:file { getattr execute execute_no_trans read ioctl append write setattr rename create unlink };
allow httpd_t port_t:tcp_socket name_connect;
allow httpd_t usr_t:file { execute execute_no_trans };
allow httpd_t var_t:file { read getattr };
allow httpd_t var_log_t:file read;
#============= unconfined_mount_t ==============
allow unconfined_mount_t xymon_t:file { getattr append };
#============= restorecond_t ==============
allow restorecond_t xymon_t:dir { read search };
#============= ifconfig_t ==============
allow ifconfig_t xymon_t:file { append getattr };
#============= mount_t ==============
allow mount_t xymon_t:file { append getattr };
#============= initrc_t ==============
allow initrc_t xymon_t:dir { getattr search write add_name remove_name relabelto relabelfrom read create setattr rmdir };
allow initrc_t xymon_t:file { getattr execute read execute_no_trans ioctl append create write rename unlink relabelto relabelfrom lock setattr link };
allow initrc_t xymon_t:lnk_file { getattr read relabelto relabelfrom create write unlink setattr };
#============= ping_t ==============
allow ping_t xymon_t:file { getattr write };
#end
Compile and load this policy:
root# checkmodule -M -m -o xymon.mod xymon.te
root# semodule_package -o xymon.pp -m xymon.mod
root# semodule -i xymon.pp
root# semodule -l
After installing the new policy, modify the selinux permissions to allow xymon to run:
root# chcon -R -t xymon_t /home/xymon
root# chcon -h -R -t xymon_t /home/xymon
root# ls -Z /home/xymon
Now restart the web server and Xymon.
Monitor the logs and /var/log/audit/audit.log for problems and security violations and modify the policy as appropriate.
-H-