Hopefully this will prove useful to somebody. I’ve recently migrated my LibreNMS install to RHEL 8 as the Ubuntu server it was on was very much life expired. I’m trying to keep SELinux enabled, and it all works except for rrdcached.
The rrdcached module in the docs for Centos 7/8 (which should be analogous to RHEL 8), don’t work, as they’re missing a couple of bits for Apache. So here’s the module file I used:
module rrdcached_librenms 1.0;
require {
type var_run_t;
type tmp_t;
type httpd_t;
type rrdcached_t;
type httpd_sys_rw_content_t;
type usr_t;
class dir { add_name getattr open read remove_name rmdir search write };
class file { create getattr open read rename setattr unlink write };
class sock_file { create setattr unlink write };
class capability { fsetid sys_resource };
class unix_stream_socket connectto;
}
#============= rrdcached_t ==============
allow rrdcached_t httpd_sys_rw_content_t:dir { add_name getattr remove_name search write };
allow rrdcached_t httpd_sys_rw_content_t:file { create getattr open read rename setattr unlink write };
allow rrdcached_t self:capability fsetid;
allow rrdcached_t var_run_t:sock_file { create setattr unlink };
allow rrdcached_t usr_t:file write;
allow httpd_t var_run_t:sock_file write;
allow httpd_t rrdcached_t:unix_stream_socket connectto;
It seems (to me) that Apache needed to talk to the socket. Little perplexed why it needed to write to usr_t, maybe somebody can explain that (the rrdcached command is per the docs).
Thanks for your feedback!
Can you run sudo grep usr_t /var/log/audit/audit.log so we can understand what file is labeled usr_t and writtened by rrdcached?
Can you confirm the label on this folder with ls -lZ /opt/librenms/rrd?
It should be httpd_sys_rw_content_t (see Installation).
If it is usr_t instead, you can fix it with semanage / restorecon commands in the install documentation.
is that right?
It’s t for type, but yes it is a label on the file
My SELinux understanding is a bit simplistic
It’s (almost) as simple as:
files and folders have labels
policies allow source labels to access destination lavel for a specific operation (read, write)
If you have an issue, either you need to change the policy, either you need to change the label of the source or dest file.
Here, it might be the destination file label that we need to change instead of the policy.
Yes, they’re all tagged as usr_t. I possibly know why - those rrds were copied over from the old server, and I probably forgot to re-run the semanage commands over them. D’oh! I used rsync to do it so it could’ve likely copied the wrong labels.
So having rectified the file labels, I modded the config and reloaded it, which broke it again, as it wants ‘map’ on files. Then the poller ran and it wanted lock. So I’ve amended all of that now.
It now looks like this:
module rrdcached_librenms 1.0;
require {
type var_run_t;
type tmp_t;
type httpd_t;
type rrdcached_t;
type httpd_sys_rw_content_t;
class dir { add_name getattr open read remove_name rmdir search write };
class file { create getattr open read rename setattr unlink write map lock };
class sock_file { create setattr unlink write };
class capability { fsetid sys_resource };
class unix_stream_socket connectto;
}
#============= rrdcached_t ==============
allow rrdcached_t httpd_sys_rw_content_t:dir { add_name getattr remove_name search write };
allow rrdcached_t httpd_sys_rw_content_t:file { create getattr open read rename setattr unlink write map lock };
allow rrdcached_t self:capability fsetid;
allow rrdcached_t var_run_t:sock_file { create setattr unlink };
allow httpd_t var_run_t:sock_file write;
allow httpd_t rrdcached_t:unix_stream_socket connectto;
This makes more sense to me. I’ve also been looking at the audit2allow command which is VERY useful for fixing some other unrelated issues.
Nice! You can edit RRDCached - LibreNMS Docs then and click the pen top right to edit this page of the documentation, by adding the map verb to the policy.
