On Tue, 2011-12-20 at 10:57 +0200, Frederick William New wrote:
> Hi,
>
> Is there recommended way of setting up custom SNMP (net-snmp) scripts used for monitoring the status of software or hardware RAID, Web site hits, etc.? I created a special directory for them - /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to do. My snmpScripts.te on a server with software RAID looks like this:
I would probably label /usr/local/snmp/bin/ and anything below type
bin_t. This will atleast stop snmpd_t from executing generic usr files.
Example;
semanage fcontext -a -t bin_t "/usr/local/snmp/bin(/.*)?"
restorecon -R -v /usr/local/snmp/bin
Besides that i guess you would need to allow snmpd_t to
read /proc/mdstat files but you can use audit2allow for that as you did
below.
>
> module snmpScripts 1.0;
>
> require {
> type snmpd_t;
> type proc_mdstat_t;
> type usr_t;
> class file { ioctl execute read open getattr execute_no_trans };
> }
>
> #============= snmpd_t ==============
>
> Is there a better or more secure way of doing this?
>
> Fred New
> Systems administrator
> Elion Ettevõtted AS
> Tallinn, Estonia
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
