Quantcast
Channel: olivetalks » CentOS
Viewing all articles
Browse latest Browse all 6

Setting up UPS on CentOS 5.2 with SELinux, part 2

0
0

In the previous post I have described how to setup monitoring of UPS battery status with Network UPS Tools so your computer can shut down gracefully in case of power loss. At the end we configured a CGI script to allow checking the UPS status via a web browser. Unfortunately this didn’t work very well because of a missing SELinux policy. This post will explain how to install the required policy module.

Step one: Define the policy module

To define the policy module for nut CGI create a text file nutcgi.te with the following content:

module nutcgi 1.0.8;

require {
type unlabeled_t;
type xend_var_log_t;
type httpd_sys_script_exec_t;
type default_t;
type procmail_t;
type ping_t;
type httpd_t;
type httpd_sys_script_t;
type port_t;
class tcp_socket { write name_connect connect shutdown read create };
class lnk_file { read getattr };
class file append;
class dir search;
class packet { recv send };
}

#============= httpd_sys_script_t ==============
# src="httpd_sys_script_t" tgt="port_t" class="tcp_socket", perms="name_connect"
# comm="upsstats.cgi" exe="" path=""
allow httpd_sys_script_t port_t:tcp_socket name_connect;
# src="httpd_sys_script_t" tgt="httpd_sys_script_t" class="tcp_socket", perms="{ write read create connect shutdown }"
# comm="upsstats.cgi" exe="" path=""
allow httpd_sys_script_t self:tcp_socket { write read create connect shutdown };
# src="httpd_sys_script_t" tgt="unlabeled_t" class="packet", perms="{ recv send }"
# comm="upsstats.cgi" exe="" path=""
allow httpd_sys_script_t unlabeled_t:packet { recv send };

#============= httpd_t ==============
# src="httpd_t" tgt="httpd_sys_script_exec_t" class="lnk_file", perms="{ read getattr }"
# comm="httpd" exe="" path=""
allow httpd_t httpd_sys_script_exec_t:lnk_file { read getattr };

Save the file somewhere.

Step two : Compile the policy module

Execute the command:

checkmodule -M -m nutcgi.te -o nutcgi.mod

This will generate a binary file representing the policy module.

Step three: Create a SELinux policy module package

Execute the command:

semodule_package -o nutcgi.pp -m nutcgi.mod

This will create a SELinux policy module package which can then be installed.

Step four: Install the SELinux policy module package

Execute the command:

semodule -i nutcgi.pp

Now the policy module is installed. You can refresh the web page with UPS status in your web browser http://localhost/cgi-bin/upsstats.cgi

UPS status in web browser after installing SELinux policy module

You can also verify that access to this web page from other machines works as intended. SELinux policy module installation is persistent – you don’t have to do it again if the system reboots.

Related post(s)


Viewing all articles
Browse latest Browse all 6

Latest Images

Trending Articles





Latest Images