SELinux configuration for Pandora FMS

In Pandora FMS the installation should always be done with Security-Enhanced Linux (SELinux ) deactivated. After its installation, and due to the need to have it activated in some environments, the configuration settings for different GNU/Linux distributions are detailed.

To create this type of rules, Audit2allow is used, which will be in charge of allowing the necessary actions.

Before starting to create the rules for the policies, you may need to install a number of packages in order to use Audit2allow.

Enter in the command terminal with root key or equivalent rights (prefix the command sudo):

dnf install selinux-policy-devel -y
dnf install policycoreutils-python-utils -y

The errors returned by SELinux can be found in the following paths:

• /var/www/html/pandora_console/log/audit.log
• /var/log/messages

In case of updating Pandora FMS by OUM you should modify the logrotate file corresponding.

To check more clearly what SELinux blocks, it is recommended to delete the previous logs and wait for them to be generated again with new records.

syslog must be stopped (this service could also be called rsyslog). Enter in the command terminal with root key or equivalent rights (prefix the command sudo):

systemctl stop syslog

The audit.log and the log system messages file must be deleted:

rm /var/www/html/pandora_console/log/audit.log /var/log/messages

Restart syslog (this service could also be called rsyslog):

systemctl start syslog

To configure SELinux to the desired value, modify its configuration file /etc/selinux/config:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

• If you need SELinux to run in restrictive mode, allowing to execute only what appears within the module rules, you must set it to enforcing, thus removing (through the audit.log) the executions denied by SELinux.
• If instead you need to print warnings (warnings) instead of blocking actions, leave them permissive, and then check these warnings in the audit.log file.

To display the latest logs entries, enter the command terminal with root key or equivalent rights (prefix the command with sudo):

tail -f /var/www/html/pandora_console/log/audit.log /var/log/messages

You may notice that errors will be displayed, for example:

type=AVC msg=audit(1431437562.755:437): avc:  denied  { write } for  pid=1835 comm="httpd" name="collections" dev=dm-0 ino=266621 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

To convert these errors into rules that SELinux can interpret, you must execute:

grep collections /var/www/html/pandora_console/log/audit.log | audit2allow -M pandora

This will create two files in the current directory:

pandora.pp
pandora.te

To activate the new rule you must execute:

sudo semodule -i pandora.pp

Repeat the process to add the missing rules. After adding all the rules, SELinux will stop reporting errors.

For Pandora FMS to be able to execute all the services correctly, rules should be created for the following functionalities:

• Create, update and delete collections.
• Sending e-mail messages using scheduled tasks (Cronjob).
• Remote configuration of agents.
• Monitoring snmptrapd.
• Monitoring NetFlow.

Otherwise, SELinux will block any action associated with these features.

A way to unite all these rules in one, to be able to use Pandora FMS completely, would be:

grep -e data_in -e collections -e var_spool_t -e zip -e md5 -e denied /var/log/audit/audit.log | audit2allow -M pandora

Then you should repeat the step described above to activate the rule. This would cover all possible conflicts between Pandora FMS and SELinux. Enter in the command terminal with root key or equivalent rights (prefix the command sudo):

sudo semodule -i pandora.pp

The rules to use SELinux with Pandora FMS are summarized, taking into account that for each particular case the values and parameters should be changed in a customized way such as dev=sdaX or pid=XXX.

The setsebool command is a tool for setting booleans for SELinux. The -P option indicates to persist the set value across restarts, and the 1 at the end of the instruction indicates true value, thus activating your application. Enter in the command terminal with root key or equivalent rights (prefix the command sudo):

setsebool -P httpd_unified 1
setsebool -P httpd_read_user_content 1
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_execmem 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_connect_ldap 1
setsebool -P authlogin_nsswitch_use_ldap 1
setsebool -P nis_enabled 1
setsebool -P httpd_setrlimit 1

The chcon command changes the SELinux context of files. The -t option indicates a SELinux file type and the -R option applies it to a directory and all its contents recursively. Enter in the command terminal with root key or equivalent rights (prefix the command sudo):

chcon -R -t httpd_sys_content_rw_t /var/www/html/pandora
chcon -R -t httpd_sys_content_rw_t /var/spool/pandora/
chcon -R -t httpd_sys_content_rw_t /tmp/

The following rules are added, always remembering the necessary customization for each case. Enter in the command terminal with root key or equivalent rights (prefix the command sudo):

echo 'type=AVC msg=audit(1709637797.944:2074063): avc:  denied  { write } for  pid=176072 comm="php-fpm" name="collections" dev="sda5" ino=142704842 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir permissive=1' | audit2allow -a
echo 'type=AVC msg=audit(1709639101.328:2100929): avc:  denied  { unlink } for  pid=152354 comm="php-fpm" name="gotty_cron_tmp.log" dev="sda5" ino=134725871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1'  | audit2allow -a
echo 'type=AVC msg=audit(1710850539.491:32359350): avc:  denied  { write } for  pid=3895348 comm="connection" name="tmp" dev="sda5" ino=8398230 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir permissive=1' | audit2allow -a

The following command is used to create the rules in a file named rules_apply.pp:

audit2allow -a -M rules_apply

The rules created in the previous step with the semodule command are applied:

semodule -i rules_apply.pp

To create this type of rules, Audit2allow is used, which will be in charge of allowing the necessary actions.

Before starting with the creation of policy rules, you may need to install a number of packages in order to use Audit2allow.

Enter in the command terminal with root key or equivalent rights (prefix the command sudo):

yum install selinux-policy-devel -y
yum install policycoreutils-python -y

The errors returned by SELinux can be found in the following paths:

• /var/www/html/pandora_console/log/audit.log
• /var/log/messages

In case of updating by OUM, the logrotate file corresponding must be modified.

To check more clearly what SELinux blocks, it is recommended to delete the previous logs and wait for them to be generated again with new records.

syslog must be stopped (this service could also be called rsyslog). Enter in the command terminal with root key or equivalent rights (prefix the command sudo):

/etc/init.d/syslog stop

The audit.log and the log system message file must be deleted:

rm /var/www/html/pandora_console/log/audit.log /var/log/messages

Restart syslog (this service could also be called rsyslog):

/etc/init.d/syslog start

To configure SELinux to the desired value, its configuration file is modified:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

• If you need SELinux to run in restrictive mode, allowing to execute only what appears within the module rules, you must set it to enforcing, thus removing (through the audit.log) the executions denied by SELinux.
• If instead you need to print warnings (warnings) instead of blocking actions, leave them permissive, and then check these warnings in the audit.log file.

To display the latest logs entries, enter the command terminal with root key or equivalent rights (prefix the command with sudo):

tail -f /var/www/html/pandora_console/log/audit.log /var/log/messages

You may notice that errors will be displayed, for example:

type=AVC msg=audit(1431437562.755:437): avc:  denied  { write } for  pid=1835 comm="httpd" name="collections" dev=dm-0 ino=266621 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

To convert these errors into rules that SELinux can interpret, you must execute:

grep collections /var/www/html/pandora_console/log/audit.log | audit2allow -M pandora

This will create two files in the current directory:

pandora.pp
pandora.te

To activate the new rule you must execute:

sudo semodule -i pandora.pp

Repeat the process to add the missing rules. After adding all the rules, SELinux will stop reporting errors.

For Pandora FMS to be able to execute all the services correctly, rules should be created for the following functionalities:

• Create, update and delete collections.
• Sending e-mails by means of scheduled tasks (Cronjob).
• Remote configuration of agents.

Otherwise, SELinux will block any action associated with these features.

A way to unite all these rules in one, to be able to use Pandora FMS completely, would be:

grep -e data_in -e collections -e var_spool_t -e zip -e md5 -e denied /var/log/audit/audit.log | audit2allow -M pandora

Then you should repeat the step described above to activate the rule. This would cover all possible conflicts between Pandora FMS and SELinux. Enter in the command terminal with root key or equivalent rights (prefix the command sudo):

sudo semodule -i pandora.pp

Back to Pandora FMS Documentation Index