On Tue 2011-12-20 at 11:59 AM, Dominick Grift wrote:
>
> On Tue, 2011-12-20 at 10:57 +0200, Frederick William New wrote:
> > Hi,
> >
> > Is there recommended way of setting up custom SNMP (net-snmp) scripts
> > used for monitoring the status of software or hardware RAID, Web site
> > hits, etc.? I created a special directory for them -
> > /usr/local/snmp/bin/, and then let sealert and audit2allow tell me what to
> > do. My snmpScripts.te on a server with software RAID looks like this:
>
> I would probably label /usr/local/snmp/bin/ and anything below type
> bin_t. This will atleast stop snmpd_t from executing generic usr files.
>
> Example;
>
> semanage fcontext -a -t bin_t "/usr/local/snmp/bin(/.*)?"
> restorecon -R -v /usr/local/snmp/bin
>
> Besides that i guess you would need to allow snmpd_t to
> read /proc/mdstat files but you can use audit2allow for that as you did
> below.
>
Thanks, I like it. My snmpScripts.te looks simpler now:
module snmpScripts 1.0;
require {
type snmpd_t;
type proc_mdstat_t;
class file { read ioctl open getattr };
}
#============= snmpd_t ==============
allow snmpd_t proc_mdstat_t:file { read ioctl open getattr };
I notice that I failed to include all of my previous snmpScripts.te. Two allow lines at the bottom were missing - one for usr_t as you mentioned above and the one shown here for proc_mdstat_t.
Fred
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
