Pandora: Documentation en: SELinux configuration for Pandora FMS
Go back to Pandora FMS documentation index
Contents
1 Introduction
We have always recomended instal Pandora with SELinux disabled (even automaticaly added in our ISO file), but there are many enviroments that we must have it enabled for security issues.
In this guide we will detail how to create policies for the differents modules inside SELinux in a custom way.
In order to create this rules, we will use Audit2allow, it will be ___ to alow the needed actions.
2 Audit2allow installation
Before to start the installation, it may be possible to install different kind of packages in order to use Audit2allow.
# sudo yum install SELinux-policy-devel # sudo yum install policycoreutils-python
3 Location of SELinux directory
Errors returned by SELinux could be locate in the route bellow:
- /var/www/html/pandora_console/log/audit.log
- /var/log/messages
IMPORTANT:
In versions prior to 747, the audit log path is: /var/log/audit/audit.log.
If updating from OUM you will need to modify the logrotate file.
In order to check the cleanest way, we highly recomend to remove previous logs and wait until it are generated again with new records.
Stop syslog (This service could be called rsyslog too):
# /etc/init.d/syslog stop
Remove audit.log and system message log file.
# rm /var/www/html/pandora_console/log/audit.log /var/log/messages
And start it again:
# /etc/init.d/syslog start
4 SELinux configuration
To configure SELinux with the desired value, we will modify its configuration file:
# This file controls the state of SELinux on the system. # SELinux= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELinux=enforcing # SELinuxTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELinuxTYPE=targeted
We will set SELinux to "enforcing" in order to execute in a restrictive way (check audit.log for denied executions by SELinux). The other option is to set SELinux to "permissive", it won't block executions and it will record errors in the audit.log file.
5 Locate entries to create policies rules
To show the last input logs, execute:
# tail -f /var/www/html/pandora_console/log/audit.log /var/log/messages
You can notice some errors like:
# type=AVC msg=audit(1431437562.755:437): avc: denied { write } for pid=1835 comm="httpd" name="collections" dev=dm-0 ino=266621 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
To convert these errors in SELinux rules:
# grep collections /var/www/html/pandora_console/log/audit.log | audit2allow -M pandora
After this, 2 new files will be created:
- pandora.pp - pandora.te
To activate the new rule, we will execute:
# sudo semodule -i pandora.pp
Repeat the process to add missed rules. After this, SELinux will stop reporting errors.
6 Needed rules for proper working of PandoraFMS
If you want that PandoraFMS execute all services properly, you will have to create some rules for the following operations:
- Create, update and delete collections.
- Send e-mails by programmed tasks (Cronjob).
- Agent remote config.
The other way, SELinux will block any accion associated to this operations.
In order to join all rules in one and use PandoraFMS with SELinux enabled, it will be:
# grep -e data_in -e collections -e var_spool_t -e zip -e md5 -e denied /var/www/html/pandora_console/log/audit.log| audit2allow -M pandora
After that you will have to repeat the step above to enable the rule.
# sudo semodule -i pandora.pp