[dev.icinga.com #8332] Add selinux policy rpm package

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/8332

Created by mfriedrich on 2015-02-01 15:40:24 +00:00

Assignee: dgoetz
Status: Closed (closed on 2016-11-09 15:06:12 +00:00)
Target Version: (none)
Last Update: 2016-11-09 15:06:12 +00:00 (in Redmine)

Backport?: Not yet backported

---

Changesets

2015-02-03 10:30:41 +00:00 by (unknown) 4238c64

Add selinux policy (WIP)

refs #8332

2015-02-12 08:13:53 +00:00 by (unknown) f6dd732

Add selinux policy (first draft)

refs #8332

2015-02-12 08:14:27 +00:00 by dgoetz 4b6c49c

Selinux: Added file contexts and port

refs #8332

Signed-off-by: Michael Friedrich <michael.friedrich@netways.de>

2015-02-27 09:47:45 +00:00 by dgoetz b02289b

Selinux: Added capabilities and database support

refs #8332

2015-03-17 18:51:54 +00:00 by dgoetz 63fe680

added restorecon to systemd prepare-dirs script

refs #8332

2015-03-17 21:23:02 +00:00 by dgoetz 8d8c2f7

added chcon to systemd safe-reload script
Selinux: Added support for notifications

refs #8332

2015-03-19 19:55:11 +00:00 by dgoetz 9a7368e

added first draft of selinux policy documentation

refs #8332

2015-03-24 19:27:04 +00:00 by dgoetz 0ebf3e8

extended selinux policy documentation

refs #8332

2015-03-24 19:28:59 +00:00 by dgoetz f431a67

Selinux: added more nagios plugin contexts

refs #8332

2015-03-25 18:52:42 +00:00 by dgoetz 626817c

Selinux: added context to config files to provide interfaces

refs #8332

2015-03-25 21:00:53 +00:00 by dgoetz d005bcd

Selinux: added role and some required changes

refs #8332

2015-03-26 19:41:26 +00:00 by dgoetz bfbcfa5

Selinux: added interface to manage perfdata

refs #8332

2015-03-26 21:12:54 +00:00 by dgoetz 8b23ff2

Selinux: added more documentation

refs #8332

2015-03-31 19:36:03 +00:00 by dgoetz 0925ea6

Selinux: added boolean for allowing icinga 2 to connect to all ports, added plugin domain transition to admin role

refs #8332

2015-05-07 20:26:42 +00:00 by dgoetz 131ad97

SELinux: changed spec

refs #8332

2015-06-01 11:25:58 +00:00 by (unknown) 22d179e

Add selinux policy (first draft)

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz 1911209

Selinux: Added file contexts and port

refs #8332

Signed-off-by: Michael Friedrich <michael.friedrich@netways.de>

2015-06-01 11:25:58 +00:00 by dgoetz 7351ab0

Selinux: Added capabilities and database support

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz 5d93b96

added restorecon to systemd prepare-dirs script

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz 167f43a

added chcon to systemd safe-reload script
Selinux: Added support for notifications

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz fac006e

added first draft of selinux policy documentation

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz 7fc28dc

extended selinux policy documentation

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz 7458518

Selinux: added more nagios plugin contexts

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz 8bd2b99

Selinux: added context to config files to provide interfaces

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz 7d29a26

Selinux: added role and some required changes

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz c460914

Selinux: added interface to manage perfdata

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz d7a30bc

Selinux: added more documentation

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz 1ca184a

Selinux: added boolean for allowing icinga 2 to connect to all ports, added plugin domain transition to admin role

refs #8332

2015-06-01 11:25:58 +00:00 by dgoetz ed4142d

SELinux: changed spec

refs #8332

2015-06-01 11:29:55 +00:00 by (unknown) c35651a

Fix doc path in selinux package

refs #8332

2015-06-02 11:32:48 +00:00 by (unknown) 64cddae

Disable selinux rpm build for el5/6 for now

refs #8332

2015-06-18 12:33:53 +00:00 by dgoetz e6453f4

SElinux: added package installation to docs

refs #8332

2015-12-04 14:28:16 +00:00 by dgoetz 9989596

Only execute chcon if selinux is enabled and use full context

refs #8332
fixes #10773

2015-12-04 14:42:49 +00:00 by dgoetz 0c8395f

Only execute chcon if selinux is enabled and use full context

refs #8332
fixes #10773

---

Relations:

• relates #8900
• relates #8332
• duplicates #8332
• blocks #5819
• blocks #8332

[icinga-migration]

Updated by dgoetz on 2015-02-02 12:59:34 +00:00

I discussed this with Michael on the FOSDEM and want to summarize:
I see three task: creating the selinux-policy, creating a rpm and writing the doc (and of course it needs testers ;-) )

Creating the selinux-policy:

• Icinga should run in its own context
• Icinga needs port 5665 labeld and is allow to listen on it, must be allow to connect on high ports
• Command pipe needs its own context and an interface to allow other programs easily to connect (do we want to have another context or the same for the livestatus socket?)
• A transition must be done when executing plugins so they run in their own context
• Are there more special contextes needed for special features?
• We do not want to break anything, so policy will be permissive until tests are fine (and I mean a lot of tests ;-) )

Creating a rpm:

• Should this be a separate spec file or included in the main spec?

Documentation:

• Some Selinux basics but mostly find a good source to link on for that
• Tell the people how to use it (on fresh installations and on existing systems)
• Explain the different contexts
• Give a note on the nagios-plugin contexts and how to label custom plugins so icinga can do a proper transition

Michael and I started prototyping on FOSDEM, he will check it in as a separate feature branch (@michael: Please use version 0.1.0 in the policy file, so I can try a proper versioning of the policy)

[icinga-migration]

Updated by mfriedrich on 2015-02-09 09:57:19 +00:00

• Duplicated set to 6525

[icinga-migration]

Updated by dgoetz on 2015-02-11 22:08:51 +00:00

• File added 0001-Added-file-contexts-and-port.patch

Added some more file contexts, domain transitions and the api port.

While doing so I found some things we should talk about:

• needed capabilities of icinga 2 daemon
• needed permissions of plugins (e.g. access to /var/lib/icinga2/api/log/current)
• notification scripts

[icinga-migration]

Updated by mfriedrich on 2015-02-12 08:17:06 +00:00

dirk wrote:

Added some more file contexts, domain transitions and the api port.

Thanks, added that patch to the feature branch.

While doing so I found some things we should talk about:

• needed capabilities of icinga 2 daemon

Not sure what you mean here. /var/lib/icinga2, /var/log/icinga2, /var/spool/icinga2 must be writable by the daemon.

• needed permissions of plugins (e.g. access to /var/lib/icinga2/api/log/current)

That directory is only used by the icinga2 daemon, and must not be read by plugins (could expose information).

• notification scripts

They are kept in /etc/icinga2/scripts and must be executable. The reason for keeping them there is that the user should be able to modify them easily. There is no generic notification script around, at least not yet to my knowledge.

[icinga-migration]

Updated by mfriedrich on 2015-02-12 08:19:40 +00:00

• Status changed from New to Assigned
• Assigned to set to dgoetz

[icinga-migration]

Updated by gbeutner on 2015-02-13 09:30:35 +00:00

• Blocks set to 5819

[icinga-migration]

Updated by dgoetz on 2015-03-02 15:11:03 +00:00

Added support for databases and graphite.

I do have something to discuss:

• File permissions on /etc/icinga2 and /etc/icinga2/init.conf are to restrictive not allowing root the read access which would cause me to add the capability dac_override, which I would like to avoid. So can we add read for other or ownership for root?

• The prepare-dirs script must also change the selinux context on /var/run/icinga2. Add a check if restorecon exists and executing it then should solve it and not break any system not selinux enabled.

  if [ -x $(which restorecon) ]; then
  restorecon -R $ICINGA2_RUN_DIR
  fi

Should I patch it in this way in the feature branch?

• On notification scripts I will add a separate context like the nagios plugins have it, not sure if I want to use their interface or create a context like icinga_notification_scripts_t
• Plugin permissions seems fine now, the leaked file handler on /var/lib/icinga2/api/log/current seems gone with an update

[icinga-migration]

Updated by dgoetz on 2015-03-17 21:35:29 +00:00

• Target Version set to 2.4.0

Changes:

• Added the file owner ship to the install script for testing, will add it to the spec when creating the selinux subpackage
• Patched the systemd scripts (not-only prepare-dirs also safe-reload needed to be aware of contexts)
• Added a new context for notification scripts based on the nagios_plugins_template interface, because it already provides something similar for eventhandlers.

Next step I want to get the documentation started, so everyone can see what should work and I can ask for testers. Packaging I want to do after that hoping to get it ready to merge for 2.4

[icinga-migration]

Updated by dgoetz on 2015-03-30 08:15:11 +00:00

• Relates set to 8900

[icinga-migration]

Updated by dgoetz on 2015-05-07 20:34:50 +00:00

Added the required changes to the spec.
But I failed to test it because my system ran out of resources compiling icinga2. Can someone else give it a try or help me with compiling it on the build infrastructure?

[icinga-migration]

Updated by mfriedrich on 2015-05-19 07:57:46 +00:00

• Target Version deleted 2.4.0

[icinga-migration]

Updated by mfriedrich on 2015-06-01 12:27:10 +00:00

• Done % changed from 0 to 80

Review

• Built on el7
• Merged current state to master

TODOs

• Tests
• Docs

[icinga-migration]

Updated by mfriedrich on 2015-06-01 12:27:19 +00:00

• File deleted 0001-Added-file-contexts-and-port.patch

[icinga-migration]

Updated by mfriedrich on 2015-06-02 11:49:47 +00:00

Tobi came over and told me that el6 builds fail due to unmet dependencies with systemd.

+ cd tools/selinux
+ for selinuxvariant in mls targeted
+ make NAME=mls -f /usr/share/selinux/devel/Makefile
cat: /selinux/mls: No such file or directory
Compiling mls icinga2 module
/usr/bin/checkmodule:  loading policy configuration from tmp/icinga2.tmp
icinga2.te":38:ERROR 'syntax error' at token 'systemd_unit_file' on line 4648:
systemd_unit_file(icinga2_unit_file_t)
type icinga2_unit_file_t;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/icinga2.mod] Error 1


RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.nQQjSU (%build)
    Bad exit status from /var/tmp/rpm-tmp.nQQjSU (%build)

I've disabled the selinux builds for el5/6 inside the spec file for now, please come up with a proper implementation @dirk

[icinga-migration]

Updated by dgoetz on 2015-06-18 12:39:35 +00:00

Had a look in implementing it and this would require to move EL7 specific parts of the policy to a separate patch, use cmake to change the files or something like that because simple putting it in an optional statement is not enough.

Added documentation for package installation.

[icinga-migration]

Updated by dgoetz on 2015-06-22 07:59:18 +00:00

Packagers target is Fedora 22/23 and EPEL7, so EPEL6 and non-systemd will ignored until another one is requiring it.

[icinga-migration]

Updated by mfriedrich on 2015-06-22 11:12:03 +00:00

So 64cddae is fixing this problem properly, and you may continue without any further changes. Is there anything left in this issue rather than #5819? If not, please resolve the issue, otherwise update the remaining todos :)

[icinga-migration]

Updated by mfriedrich on 2015-06-26 09:13:26 +00:00

• Target Version set to Backlog

[icinga-migration]

Updated by dgoetz on 2015-06-29 09:14:00 +00:00

• Done % changed from 80 to 100

For more tests I would need a bigger environment, so hopefully we will find some testers. And no idea what we could perhaps need additionaly.
Can you merge the last documentation changes (adding package installation) and set this to resolved (I have no permissions)?

[icinga-migration]

Updated by mfrosch on 2015-08-26 11:14:16 +00:00

• Done % changed from 100 to 90

I noticed that the icinga2_var_run_t context doesn't really make sense, since /run is a tmpfs on RHEL7.

How can we fix this cleanly? Allowing httpd to access run?

[icinga-migration]

Updated by spstarr on 2015-08-29 22:50:28 +00:00

We're missing tools/selinux in the man tarball, since I need the stock tarball in Fedora (I could package the selinux parts as additions however).

[icinga-migration]

Updated by dgoetz on 2015-09-14 11:30:50 +00:00

@lazyfrosch: The context on /var/run is fine. Just have a look at the pre-script for systemd (prepare-dirs), the context is restored after creation. But perhaps this could be done with native systemd using tmpfilesd, but I do not want to change things working fine.

@spstarr: Is it fine if Michael will include it in the tarball with the 2.4 release?

[icinga-migration]

Updated by gbeutner on 2015-10-21 12:35:12 +00:00

• Relates set to 10417

[icinga-migration]

Updated by seferovic on 2015-11-24 15:30:51 +00:00

Hi,

I'm getting a lot of messages because apparently the monitoring plugins want to access /var/lib/icinga2/api/log/current

Nov 24 16:02:01 -secret- setroubleshoot: SELinux is preventing check_ping from append access on the file /var/lib/icinga2/api/log/current. For complete SELinux messages. run sealert -l 7aa246df-1488-43c0-b5f4-912c01fcef3a
Nov 24 16:02:01 vie02s251 python: SELinux is preventing check_ping from append access on the file /var/lib/icinga2/api/log/current.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that check_ping should be allowed append access on the current file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep check_ping /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012

And I am seeing this for every check... ATM it is only a test system with SELinux enabled, but this would produce a huge load of logging info when the system goes live.

What else could/should I test to help you with this feature?
I'm running latest stable version of Icinga.

[icinga-migration]

Updated by dgoetz on 2015-11-26 08:52:06 +00:00

Hi,

this is a result of bug #8900 and the bug has an untested patch attached, you can perhaps give this one a try. But this would require compiling.
For selinux: Just run icinga 2 with selinux enabled like you would do it normally and report occuring problems, but you can also report positive experience to encourage others to enable selinux. I would be interested in a list of features confirmed working in different environments.

[icinga-migration]

Updated by gbeutner on 2016-04-13 10:22:53 +00:00

What's the status for this ticket?

[icinga-migration]

Updated by dgoetz on 2016-04-18 11:40:31 +00:00

This can be closed and the feature branch deleted after merging "feature/doc-selinux-10553".

[icinga-migration]

Updated by gbeutner on 2016-08-03 08:17:15 +00:00

• Blocked set to 10553

[icinga-migration]

Updated by mfriedrich on 2016-11-09 15:06:12 +00:00

• Status changed from Assigned to Closed
• Target Version deleted Backlog