On Tue 2011-12-20 at 11:59 AM, Dominick Grift wrote:
On Tue, 2011-12-20 at 10:57 +0200, Frederick William New wrote:
> Hi,
>
> Is there recommended way of setting up custom SNMP (net-snmp) scripts
> used for monitoring the status of software or hardware RAID, Web site
> hits, etc.? I created a special directory for them -
> /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to
> do. My snmpScripts.te on a server with software RAID looks like this:
I would probably label /usr/local/snmp/bin/ and anything below type
bin_t. This will atleast stop snmpd_t from executing generic usr files.
Example;
semanage fcontext -a -t bin_t "/usr/local/snmp/bin(/.*)?"
restorecon -R -v /usr/local/snmp/bin
Besides that i guess you would need to allow snmpd_t to
read /proc/mdstat files but you can use audit2allow for that as you did
below.
Thanks, I like it. My snmpScripts.te looks simpler now:
module snmpScripts 1.0;
require {
type snmpd_t;
type proc_mdstat_t;
class file { read ioctl open getattr };
}
#============= snmpd_t ==============
allow snmpd_t proc_mdstat_t:file { read ioctl open getattr };
I notice that I failed to include all of my previous snmpScripts.te. Two allow lines at
the bottom were missing - one for usr_t as you mentioned above and the one shown here for
proc_mdstat_t.
Fred