selinux policy 🔗 link

On Monday 25 February 2008 14:35:13 Martin Flemming wrote:

Hi !

Is there any selinux-policy for hobbit available
or can somebody point me to a solution for it .... ?
.. beside to disable it :-)

On Mon, 25 Feb 2008, Buchan Milne wrote:

On Monday 25 February 2008 14:35:13 Martin Flemming wrote:

Hi !

Is there any selinux-policy for hobbit available
or can somebody point me to a solution for it .... ?
.. beside to disable it :-)

I don't think a policy should be necessary in targeted mode, but chcon might
need to be run with the right options to set the right context on the
relevant directories/files.

Can you give the selinux error message you get ? And, how did you install
Hobbit ?

        Martin 
Martin Flemming
DESY / IT          office : Building 2b / 008a
Notkestr. 85       phone  : XXX - XXXX - XXXX
22603 Hamburg      mail   : user-f286aaa49a76@xymon.invalid

On Monday 25 February 2008 20:08:11 Martin Flemming wrote:

On Mon, 25 Feb 2008, Buchan Milne wrote:

On Monday 25 February 2008 14:35:13 Martin Flemming wrote:

Hi !

Is there any selinux-policy for hobbit available
or can somebody point me to a solution for it .... ?
.. beside to disable it :-)

I don't think a policy should be necessary in targeted mode, but chcon
might need to be run with the right options to set the right context on
the relevant directories/files.

fine, i'm not familiar with selinux,
but for a new Analysis-Farm we should build up, it's the default with

SELINUX=enforcing
SELINUXTYPE=targeted

Can you give the selinux error message you get ? And, how did you install
Hobbit ?

And one more detail, i've got the problem on my new separate server,
if i want to execute the cgi's

e.g.
hobbit-nkview.sh
bb-findhost.sh
.
....and so on ...

error-messages in /var/log/audit/audit.log

type=AVC msg=audit(1203959305.541:42): avc:  denied  { execute_no_trans }
for  pid=2027 comm="httpd" path="/usr/lib/hobbit/cgi-bin/hobbit-nkview.sh"
dev=xvda2 ino=553808 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL
msg=audit(1203959305.541:42): arch=c000003e syscall=59 success=no exit=-13
a0=55555dd9ea80 a1=55555dda02b0 a2=55555dda02c8 a3=0 items=0 ppid=1841
pid=2027 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=root:system_r:httpd_t:s0 key=(null)

or

type=AVC msg=audit(1203959921.164:50): avc:  denied  { execute_no_trans }
for  pid=2184 comm="httpd" path="/usr/lib/hobbit/cgi-bin/bb-findhost.sh"
dev=xvda2 ino=553797 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL
msg=audit(1203959921.164:50): arch=c000003e syscall=59 success=no exit=-13
a0=55555dd9ea78 a1=55555dda0298 a2=55555dda02b0 a3=0 items=0 ppid=1843
pid=2184 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=root:system_r:httpd_t:s0 key=(null)


Also, if i want to see the cpu-graph etc.....

type=AVC msg=audit(1203960082.238:51): avc:  denied  { execute_no_trans }
for  pid=2217 comm="httpd" path="/usr/lib/hobbit/cgi-bin/bb-hostsvc.sh"
dev=xvda2 ino=553800 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL
msg=audit(1203960082.238:51): arch=c000003e syscall=59 success=no exit=-13
a0=55555dd9ead8 a1=55555dda0310 a2=55555dda0328 a3=0 items=0 ppid=1844
pid=2217 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=root:system_r:httpd_t:s0 key=(null)

While, if i disabled selinux, i haven't got that problem ..

On Wed, 27 Feb 2008, Buchan Milne wrote:

While, if i disabled selinux, i haven't got that problem ..

I assisted someone in setting up Hobbit on a system that had selinux 
enabled,
and this was what I needed to do to get it to work correctly:

chcon -t httpd_sys_script_exec_t /usr/lib/hobbit/cgi-bin/*
chcon -t httpd_sys_script_exec_t /usr/lib/hobbit/cgi-secure/*
chcon -R -t httpd_sys_script_ro_t /var/lib/hobbit/rrd/

(besides usual file permissions issues).

I will try and see if I can ensure this isn't necessary (either setting 
the
contexts during the package build, or in a postinstall script) for my own
hobbit RPMS, if it works, I may make the packages available.

Regards,
Buchan


On Wed, 27 Feb 2008, Buchan Milne wrote:

On Monday 25 February 2008 20:08:11 Martin Flemming wrote:

On Mon, 25 Feb 2008, Buchan Milne wrote:

On Monday 25 February 2008 14:35:13 Martin Flemming wrote:

Hi !

Is there any selinux-policy for hobbit available
or can somebody point me to a solution for it .... ?
.. beside to disable it :-)

I don't think a policy should be necessary in targeted mode, but chcon
might need to be run with the right options to set the right context on
the relevant directories/files.

fine, i'm not familiar with selinux,
but for a new Analysis-Farm we should build up, it's the default with

SELINUX=enforcing
SELINUXTYPE=targeted

Can you give the selinux error message you get ? And, how did you install
Hobbit ?

And one more detail, i've got the problem on my new separate server,
if i want to execute the cgi's

e.g.
hobbit-nkview.sh
bb-findhost.sh
.
....and so on ...

error-messages in /var/log/audit/audit.log

type=AVC msg=audit(1203959305.541:42): avc:  denied  { execute_no_trans }
for  pid=2027 comm="httpd" path="/usr/lib/hobbit/cgi-bin/hobbit-nkview.sh"
dev=xvda2 ino=553808 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL
msg=audit(1203959305.541:42): arch=c000003e syscall=59 success=no exit=-13
a0=55555dd9ea80 a1=55555dda02b0 a2=55555dda02c8 a3=0 items=0 ppid=1841
pid=2027 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=root:system_r:httpd_t:s0 key=(null)

or

type=AVC msg=audit(1203959921.164:50): avc:  denied  { execute_no_trans }
for  pid=2184 comm="httpd" path="/usr/lib/hobbit/cgi-bin/bb-findhost.sh"
dev=xvda2 ino=553797 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL
msg=audit(1203959921.164:50): arch=c000003e syscall=59 success=no exit=-13
a0=55555dd9ea78 a1=55555dda0298 a2=55555dda02b0 a3=0 items=0 ppid=1843
pid=2184 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=root:system_r:httpd_t:s0 key=(null)


Also, if i want to see the cpu-graph etc.....

type=AVC msg=audit(1203960082.238:51): avc:  denied  { execute_no_trans }
for  pid=2217 comm="httpd" path="/usr/lib/hobbit/cgi-bin/bb-hostsvc.sh"
dev=xvda2 ino=553800 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL
msg=audit(1203960082.238:51): arch=c000003e syscall=59 success=no exit=-13
a0=55555dd9ead8 a1=55555dda0310 a2=55555dda0328 a3=0 items=0 ppid=1844
pid=2217 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=root:system_r:httpd_t:s0 key=(null)

While, if i disabled selinux, i haven't got that problem ..

I assisted someone in setting up Hobbit on a system that had selinux enabled,
and this was what I needed to do to get it to work correctly:

chcon -t httpd_sys_script_exec_t /usr/lib/hobbit/cgi-bin/*
chcon -t httpd_sys_script_exec_t /usr/lib/hobbit/cgi-secure/*
chcon -R -t httpd_sys_script_ro_t /var/lib/hobbit/rrd/

(besides usual file permissions issues).

I will try and see if I can ensure this isn't necessary (either setting the
contexts during the package build, or in a postinstall script) for my own
hobbit RPMS, if it works, I may make the packages available.

Regards,
Buchan

Martin Flemming
DESY / IT          office : Building 2b / 008a
Notkestr. 85       phone  : XXX - XXXX - XXXX
22603 Hamburg      mail   : user-f286aaa49a76@xymon.invalid