Munin/SELinux

From LinuxReviews
Jump to navigationJump to search

Munin version 2.0.64 does not come with any SELinux policy for Fedora and RHEL. The munin-node.service will fail to start without one.

Munin-Node

First, just reset the audit.log with

echo > /var/log/audit/audit.log

Then turn SELinux enforcement off (Doing so is bad if you forget to turn it on again):

setenforce 0

Next, start and stop munin-node:

systemctl start munin-node
sleep 4s
systemctl stop munin-node

Re-enable SELinux enforcement:

setenforce 1

Next, make sure you have policycoreutils-python-utils (provides audit2allow) and run:

grep munin /var/log/audit/audit.log | audit2allow -M munin-node

This will create a SELinux module called munin-node.pp and a plain-text module file called munin-node.te which will look something like this:

File: munin-node.te
module munin-node 1.0;

require {
	type services_munin_plugin_t;
	type disk_munin_plugin_t;
	type system_dbusd_var_run_t;
	type system_dbusd_t;
	type avahi_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class dbus send_msg;
	class capability dac_read_search;
}

#============= avahi_t ==============
allow avahi_t services_munin_plugin_t:dbus send_msg;

#============= disk_munin_plugin_t ==============
allow disk_munin_plugin_t self:capability dac_read_search;

#============= services_munin_plugin_t ==============
allow services_munin_plugin_t avahi_t:dbus send_msg;
allow services_munin_plugin_t system_dbusd_t:dbus send_msg;
allow services_munin_plugin_t system_dbusd_t:unix_stream_socket connectto;
allow services_munin_plugin_t system_dbusd_var_run_t:sock_file write;

You do not actually need the munin-node.te file but since you're reading this now you're probably someone who needs to actually see it.

The ready to be used munin-node.pp SELinux module can be added to the system policy with

semodule -i munin-server.pp

audit2allow -M will create both a text module and a loadable module. You can, alternatively, do it a bit more manually:

grep munin /var/log/audit/audit.log | audit2allow -m munin-node > munin-node.te
checkmodule -M -m -o munin-node.mod munin-node.te
semodule_package -o munin-node.pp -m munin-node.mod
semodule -i munin-node.pp

You should now be able to start munin-node with SELinux enforcement enabled with

systemctl start munin-node

or

systemctl enable --now munin-node

to start and enable as a permanent service at the same time.

Munin

The munin service that creates HTML pages and images showing fancy graphs will also refuse to start on Fedora and RHEL systems without a SELinux policy.

echo > /var/log/audit/audit.log
setenforce 0
systemctl start munin
sleep 8s
systemctl stop munin
grep munin /var/log/audit/audit.log | audit2allow -M munin-server

That should produce a usable SELinux module you can install with

semodule -i munin-server.pp

The plain-text module will look something like this:

File: munin-node.te
module munin-server 1.0;

require {
	type init_t;
	type munin_t;
	class process2 nnp_transition;
}

#============= init_t ==============
allow init_t munin_t:process2 nnp_transition;
Back to Munin

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.