Added SELinux module draft

Added SELinux module draft - to use the plugin in Enforcing mode
pull/1452/head
Christian Stankowic 2016-05-28 00:18:18 +02:00
parent e01cd8ab03
commit c305e76ff9
2 changed files with 53 additions and 0 deletions

View File

@ -25,6 +25,23 @@ following steps:
------------------------------------------------------------------------------ ------------------------------------------------------------------------------
SELinux Notes:
If you're using SELinux in Enforcing mode, you will need to create a SELinux module - otherwise the check will abort with the typical "NRPE: Unable to read output" error.
An SELinux module draft is part of this folder, you only need to compile and install it:
```
# checkmodule -M -m -o nrpe_fail2ban.mod nrpe_fail2ban.te
# semodule_package -o nrpe_fail2ban.pp -m nrpe_fail2ban.mod
# semodule -i nrpe_fail2ban.pp
```
After installation, ensure that the module is loaded:
```
# semodule -l | grep nrpe
nrpe_fail2ban 1.0
```
Notes (from f2ban.txt) Notes (from f2ban.txt)
----- -----
It seems that Fail2ban is currently not working, please login and check It seems that Fail2ban is currently not working, please login and check

View File

@ -0,0 +1,36 @@
module nrpe_fail2ban 1.0;
require {
type admin_home_t;
type nrpe_t;
class unix_dgram_socket sendto;
class file execute;
class file getattr;
class file { read getattr open };
class file execute_no_trans;
type fail2ban_client_exec_t;
class file { ioctl getattr };
class file { read open };
class file execute_no_trans;
type fail2ban_var_run_t;
class sock_file write;
class file ioctl;
type fail2ban_t;
class unix_stream_socket connectto;
}
#============= nrpe_t ==============
allow nrpe_t admin_home_t:file execute;
allow nrpe_t self:unix_dgram_socket sendto;
allow nrpe_t admin_home_t:file getattr;
allow nrpe_t admin_home_t:file { read open };
allow nrpe_t admin_home_t:file execute_no_trans;
allow nrpe_t admin_home_t:file ioctl;
allow nrpe_t fail2ban_client_exec_t:file getattr;
allow nrpe_t fail2ban_client_exec_t:file execute;
allow nrpe_t fail2ban_client_exec_t:file { read open };
allow nrpe_t fail2ban_client_exec_t:file execute_no_trans;
allow nrpe_t fail2ban_client_exec_t:file ioctl;
allow nrpe_t fail2ban_var_run_t:sock_file write;
allow nrpe_t fail2ban_t:unix_stream_socket connectto;