SELinux

Table of Contents:

Using AppFirst collectors with SELinux

Upon startup, AppFirst collectors look to see if SELinux is “enforcing” and terminate with a warning message if this is so. There are four options should you encounter this situation:

  1. Disable SELinux altogether
  2. Place SELinux into permissive mode
  3. Use the AppFirst supplied SElinux policy to permit the collector to run
  4. Generate an AppFirst SELinux policy on your own

Disabling SELinux altogether

The ‘brute force’ approach to making the AppFirst collector work with SELinux is to simply disable SELinux. In /etc/sysconfig/selinux, change the SELINUX option to disabled. Reboot the server and you should find that the AppFirst collector will start.

Put SELinux into permissive mode

Permissive mode is SElinux’s way of allowing everything, but logging the things it allowed. In /etc/sysconfig/selinux, change the SELINUX option to permissive. Reboot the server and you should find that the AppFirst collector will start.

Use this SELinux Policy

In order to manipulate an SELinux policy, you’ll need to have the setools-console and policycoreutils-python packages installed on the system creating the policy. Once the policy is created, it can be copied to any other linux server, so these packages will not have to be installed.

Create a file called appfirst.te that contains the following lines:

module appfirst 1.0;

require {
	type chkpwd_t;
	type sysstat_t;
	type initrc_state_t;
	type initrc_t;
	class shm { write associate read unix_read unix_write };
	class file { read write getattr open };
}

#============= chkpwd_t ==============
allow chkpwd_t initrc_state_t:file { read write getattr open };
allow chkpwd_t initrc_t:shm { unix_read read write unix_write associate };

#============= sysstat_t ==============
#!!!! The source type 'sysstat_t' can write to a 'file' of the following type:
# sysstat_log_t

allow sysstat_t initrc_state_t:file { read write getattr open };
allow sysstat_t initrc_t:shm { unix_read read write unix_write associate };

Compile the module

checkmodule -M -m -o appfirst.mod appfirst.te

Create the package

semodule_package -o appfirst.pp -m appfirst.mod

Load the module into the kernel

semodule -i appfirst.pp

Generate your own SELinux policy

Although there are a few steps here, generating an SELinux policy only appears to be a daunting task.

  1. Keep SELinux running in enforcing mode. If you need to change the mode, reboot the server after changing /etc/sysconfig/selinux.
  2. You’ll need the setools packages referenced above:
    yum install -y setools-console policycoreutils-python
  3. Edit /etc/init.d/afcollector and comment out the line in the ‘start’ section that calls selinux_chk
  4. Clean your audit.log:
    cat /dev/null > /var/log/audit/audit.log
  5. The AppFirst collector is probably stopped at this point, but in case it isn’t, let’s stop it:
    service afcollector stop
  6. Start the AppFirst collector:
    service afcollector start
  7. The AppFirst collector will start up and SELinux will start denying certain access. You can watch this behavior in /var/log/audit/audit.log. Wait for fifteen minutes or so to generate a few SELinux warnings.
  8. Set enforce off:
    setenforce 0
  9. Generate a good policy (this may take a few minutes):
    cat /var/log/audit/audit.log | audit2allow -M appfirst
  10. Activate the new policy:
    semodule -i appfirst.pp
  11. Re-enable selinux enforcing mode:
    setenforce 1
  12. Check for errors:
    seaudit-report /var/log/audit/audit.log
  13. Assuming no errors, and that the AppFirst collector is reporting back to the AppFirst cloud (log in and check), you should be fine to copy the appfirst.pp policy to other servers and run semodule -i appfirst.pp. Note, there is no need to install the setools packages on servers that are not generating a policy.

Reference:
The SELinux project: http://selinuxproject.org/page/Main_Page
The Centos SELinux HowTo: http://wiki.centos.org/HowTos/SELinux