$ audit2allow -M allow_munin_plugin_to_write_to_sockets_2 < /tmp/audit-errors-2.txt ******************** IMPORTANT *********************** To make this policy package active, execute:
"For adding custom rules you have specify the protocol between ipv4 or ipv6 and on what table add the custom rules filter, mangle or nat then the path to the file containing rules to add"
$ cat /etc/sysconfig/iptables-redirect-5433-a-5432 -A OUTPUT -o lo -p tcp -m tcp --dport 5433 -j REDIRECT --to-ports 5432
$ vim /etc/sysconfig/network-scripts/ifcfg-eth0
ReplyDeleteDEVICE=eth0
NM_CONTROLLED=no
BOOTPROTO=none
ONBOOT=yes
IPADDR=xx.xx.xx.xx
NETWORK=yy.yy.yy.yy
NETMASK=255.zz.zz.zz
BROADCAST=mm.mm.mm.mm
GATEWAY=nn.nn.nn.nn
DNS1=8.8.8.8
DeleteDNS2=8.8.4.4
DOMAIN=mydomain.com.ar
config. de sudo
ReplyDelete$ visudo
$ usermod -a -G wheel USER
ssh
ReplyDelete$ yum install openssh-server
$ chkconfig --add sshd
$ chkconfig sshd on
$ yum install screen
ReplyDelete$ yum install yum-plugin-downloadonly
$ yum update --downloadonly
Problema
ReplyDeleteplugins de PostgreSql en Munin funcionan desde munin-run, pero no via Munin o telnet al puerto 4949
Error producido:
May 21 16:09:58 web6 kernel: type=1400 audit(1369163398.807:37784): avc: denied { write } for pid=6970 comm="postgres_users" name=".s.PGSQL.5432" dev=md0 ino=68088 scontext=unconfined_u:system_r:munin_services_plugin_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
1er intento
$ setsebool -P allow_user_postgresql_connect on
No lo soluciono
SoluciĆ³n
------------------------------------------------------------
$ grep audit /var/log/messages | tail > /tmp/audit-errors.txt
$ audit2allow -M allow_munin_plugin_to_write_to_sockets < /tmp/audit-errors.txt
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i allow_munin_plugin_to_write_to_sockets.pp
$ semodule -i allow_munin_plugin_to_write_to_sockets.pp
------------------------------------------------------------
Mas info
* http://wiki.centos.org/HowTos/SELinux
* https://bugzilla.redhat.com/show_bug.cgi?id=581270
* http://serverfault.com/questions/427474/munin-with-postgresql-9-2
Ahora el problema es:
DeleteMay 21 16:23:02 web6 kernel: type=1400 audit(1369164182.187:37812): avc: denied { connectto } for pid=7975 comm="postgres_bgwrit" path="/tmp/.s.PGSQL.5432" scontext=unconfined_u:system_r:munin_services_plugin_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
$ cat > /tmp/audit-errors-2.txt
{{{ pegar error }}}
$ audit2allow -M allow_munin_plugin_to_write_to_sockets_2 < /tmp/audit-errors-2.txt
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i allow_munin_plugin_to_write_to_sockets_2.pp
$ cat allow_munin_plugin_to_write_to_sockets_2.te
module allow_munin_plugin_to_write_to_sockets_2 1.0;
require {
type munin_services_plugin_t;
type initrc_t;
class unix_stream_socket connectto;
}
#============= munin_services_plugin_t ==============
allow munin_services_plugin_t initrc_t:unix_stream_socket connectto;
$ semodule -i allow_munin_plugin_to_write_to_sockets_2.pp
Los contenidos del 1er archivo generado son:
Delete$ cat allow_munin_plugin_to_write_to_sockets.te
module allow_munin_plugin_to_write_to_sockets 1.0;
require {
type tmp_t;
type munin_services_plugin_t;
class sock_file write;
}
#============= munin_services_plugin_t ==============
allow munin_services_plugin_t tmp_t:sock_file write;
Hacer que servicios que intenten conectarse al 127.0.0.1:5433 en realidad se conecten al 127.0.0.1:5432:
ReplyDelete$ iptables -t nat -A OUTPUT -o lo -p tcp --dport 5433 -j REDIRECT --to-port 5432
Reglas customizadas y system-config-firewall-tui
ReplyDelete* https://fedoraproject.org/wiki/How_to_edit_iptables_rules
"For adding custom rules you have specify the protocol
between ipv4 or ipv6 and on what table add the custom
rules filter, mangle or nat then the path to the file
containing rules to add"
$ cat /etc/sysconfig/iptables-redirect-5433-a-5432
-A OUTPUT -o lo -p tcp -m tcp --dport 5433 -j REDIRECT --to-ports 5432
El problema:
ReplyDeleteJun 4 15:56:17 web6 kernel: type=1400 audit(1370372177.632:44447): avc: denied { execute } for pid=11607 comm="munin-node" name="plugin_jboss_generic_jmx_v2" dev=md0 ino=270506 scontext=unconfined_u:system_r:munin_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
Jun 4 15:56:17 web6 kernel: type=1400 audit(1370372177.674:44448): avc: denied { execute } for pid=11608 comm="munin-node" name="plugin_jboss_generic_jmx_v3" dev=md0 ino=270498 scontext=unconfined_u:system_r:munin_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
La solucion... ¿La solucion? Bueno, todavia no lo se, pero probaremos con:
$ semanage fcontext -a -t munin_unconfined_plugin_exec_t "/usr/local/my-munin/plugin_jboss_generic_jmx_v[23]"
$ restorecon -R -v /usr/local/my-munin
Refs:
- http://danwalsh.livejournal.com/63137.html
Muy buen script para firewall:
ReplyDeletehttps://wiki.archlinux.org/index.php/Simple_Stateful_Firewall#Example_iptables.rules_file