====== SELinux configuration ======

{{indexmenu_n>80}}

<wrap #ks1 />
===== Introduction =====

In Pandora FMS, the installation should always be done with <wrap :en>Security-Enhanced Linux</wrap> (**SELinux**) deactivated. After its installation, and due to the need to have it activated in some environments, the configuration settings for different GNU/Linux distributions are detailed.

<wrap #ks2 />
===== Rocky Linux 8 =====

<wrap #ks2_1 />
==== Audit2allow installation ====

To create this type of rules, **Audit2allow** is used, which will be in charge of allowing the necessary actions.

Before starting to create the rules for the policies, you may need to install a number of packages in order to use **Audit2allow**.

Enter in the command terminal with **root** key or equivalent rights (prefix the command **sudo**):

<code bash>
dnf install selinux-policy-devel -y
dnf install policycoreutils-python-utils -y
</code>

<wrap #ks2_2 />
==== Location of the SELinux log directory ====

The errors returned by **SELinux** can be found in the following paths:

  * ''/var/www/html/pandora_console/log/audit.log''
  * ''/var/log/messages''
In case of updating Pandora FMS by **OUM** you should modify the **logrotate** file [[:en:documentation:pandorafms:management_and_operation:11_managing_and_administration#ks6|corresponding]].

To check more clearly what **SELinux**  blocks, it is recommended to delete the previous //logs// and wait for them to be generated again with new records.

**syslog** must be stopped (this service could also be called **rsyslog**). Enter in the command terminal with **root**  key or equivalent rights (prefix the command **sudo**):

<code bash>
systemctl stop syslog
</code>

The ''audit.log'' and the //log//  system messages file must be deleted:

<code bash>
rm /var/www/html/pandora_console/log/audit.log /var/log/messages
</code>

Restart **syslog** (this service could also be called **rsyslog**):

<code bash>
systemctl start syslog
</code>

<wrap #ks2_3 />
==== SELinux configuration ====

To configure **SELinux** to the desired value, modify its configuration file ''/etc/selinux/config'':

<code>
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
</code>

  * If you need **SELinux** to run in restrictive mode, allowing to execute only what appears within the module rules, you must set it to ''enforcing'', thus removing (through the ''audit.log'') the executions denied by **SELinux**.
  * If instead you need to print warnings (//warnings//) instead of blocking actions, leave them ''permissive'', and then check these //warnings//  in the ''audit.log'' file.

<wrap #ks2_4 />
==== Locate the entries for the creation of policy rules ====

To display the latest //logs// entries, enter the command terminal with **root** key or equivalent rights (prefix the command with **sudo**):

<code bash>
tail -f /var/www/html/pandora_console/log/audit.log /var/log/messages
</code>

You may notice that errors will be displayed:

<code>
type=AVC msg=audit(1431437562.755:437): avc:  denied  { write } for  pid=1835 comm="httpd" name="collections" dev=dm-0 ino=266621 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
</code>

To convert these errors into rules that **SELinux** can interpret, you must execute:

<code bash>
grep collections /var/www/html/pandora_console/log/audit.log | audit2allow -M pandora
</code>

This will create two files in the current directory:

<code>
pandora.pp
pandora.te
</code>

To activate the new rule, execute:

<code bash>
sudo semodule -i pandora.pp
</code>

Repeat the process to add the missing rules. After adding all the rules, **SELinux** will stop reporting errors.

<wrap #ks2_5 />
==== Necessary rules for the correct operation of Pandora FMS ====

For Pandora FMS to be able to execute all the services correctly, rules should be created for the following features:

  * Create, update and delete collections.
  * Sending e-mail messages using scheduled tasks (**Cronjob**).
  * Remote agent configuration.
  * Monitoring **snmptrapd**.
  * Monitoring **NetFlow**.

Otherwise, **SELinux** will block any action associated with these features.

A way to unite all these rules in one, to be able to use Pandora FMS completely, would be:

<code bash>
grep -e data_in -e collections -e var_spool_t -e zip -e md5 -e denied /var/log/audit/audit.log | audit2allow -M pandora
</code>

Then you should repeat the step described above to activate the rule. This would cover all possible conflicts between Pandora FMS and **SELinux**. Enter in the command terminal with **root** key or equivalent rights (prefix the command **sudo**):

<code bash>
sudo semodule -i pandora.pp
</code>

<wrap #ks2_5_1 />
=== Practical summary ===

The rules to use **SELinux** with Pandora FMS are summarized, //taking into account that for each particular case the values and parameters should be changed in a customized way// such as ''dev=sdaX'' or ''pid=XXX''.

The **setsebool** command is a tool for setting //booleans// for **SELinux**. The ''-P'' option indicates to persist the set value across restarts, and the ''1''  at the end of the instruction indicates true value, thus activating your application. Enter in the command terminal with **root** key or equivalent rights (prefix the command **sudo**):

<code bash>
setsebool -P httpd_unified 1
setsebool -P httpd_read_user_content 1
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_execmem 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_connect_ldap 1
setsebool -P authlogin_nsswitch_use_ldap 1
setsebool -P nis_enabled 1
setsebool -P httpd_setrlimit 1
</code>

The **chcon** command changes the **SELinux** context of files. The ''-t'' option indicates a **SELinux** file type and the ''-R'' option applies it to a directory and all its contents recursively. Enter in the command terminal with **root** key or equivalent rights (prefix the command **sudo**):

<code bash>
chcon -R -t httpd_sys_content_rw_t /var/www/html/pandora
chcon -R -t httpd_sys_content_rw_t /var/spool/pandora/
chcon -R -t httpd_sys_content_rw_t /tmp/
</code>

The following rules are added, always remembering the necessary customization for each case. Enter in the command terminal with **root** key or equivalent rights (prefix the command **sudo**):

<code bash>
echo 'type=AVC msg=audit(1709637797.944:2074063): avc:  denied  { write } for  pid=176072 comm="php-fpm" name="collections" dev="sda5" ino=142704842 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir permissive=1' | audit2allow -a
echo 'type=AVC msg=audit(1709639101.328:2100929): avc:  denied  { unlink } for  pid=152354 comm="php-fpm" name="gotty_cron_tmp.log" dev="sda5" ino=134725871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1'  | audit2allow -a
echo 'type=AVC msg=audit(1710850539.491:32359350): avc:  denied  { write } for  pid=3895348 comm="connection" name="tmp" dev="sda5" ino=8398230 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir permissive=1' | audit2allow -a
</code>

The following command is used to create the rules in a file named ''rules_apply.pp'':

<code bash>
audit2allow -a -M rules_apply
</code>

The rules created in the previous step with the **semodule** command are applied:

<code bash>
semodule -i rules_apply.pp
</code>

[[:en:documentation:start|Back to Pandora FMS Documentation Index]]