-
Notifications
You must be signed in to change notification settings - Fork 396
Description
I set up Redis 8.4 replication with sentinel and service registration with Hashicorp Consul on Oracle EL10.1 server stack. In order to reregister redis service with consul after failover I needed to reload consul service, what can be done with redis sentinel client-reconfig-script option. Here's the simple script:
#!/bin/bash
sudo systemctl reload consul.service
that option was added in sudoers:
Cmnd_Alias CONSUL_SERVICE = /usr/bin/systemctl reload consul.service
redis ALL=NOPASSWD: CONSUL_SERVICE
after testing this configuration with selinux in enforcing mode I've ended with selinux policy:
module my-redisserver 1.0;
require {
type redis_conf_t;
type redis_t;
type sudo_exec_t;
type system_dbusd_t;
type system_dbusd_var_run_t;
type systemd_systemctl_exec_t;
type systemd_logind_t;
type systemd_unit_file_t;
type chkpwd_exec_t;
type shadow_t;
type init_t;
class lnk_file read;
class sock_file write;
class dbus send_msg;
class service { reload status };
class capability { audit_write setgid setuid sys_resource dac_read_search };
class netlink_audit_socket { create nlmsg_relay };
class file { execute execute_no_trans getattr map open read };
}
#============= redis_t ==============
allow redis_t redis_conf_t:lnk_file read;
allow redis_t redis_conf_t:file { execute execute_no_trans };
allow redis_t sudo_exec_t:file { execute execute_no_trans getattr open read };
allow redis_t self:capability { audit_write setgid setuid sys_resource dac_read_search };
allow redis_t self:netlink_audit_socket { create nlmsg_relay };
allow redis_t system_dbusd_var_run_t:sock_file write;
allow redis_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr map open read };
allow redis_t sudo_exec_t:file map;
allow redis_t chkpwd_exec_t:file { execute execute_no_trans map open read };
allow redis_t shadow_t:file { getattr open read };
allow redis_t init_t:lnk_file read;
allow redis_t system_dbusd_t:dbus send_msg;
allow redis_t systemd_logind_t:dbus send_msg;
allow redis_t systemd_unit_file_t:service { reload status };
and systemd unit file:
[Unit]
Description=Redis Sentinel
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
ExecStart=/usr/bin/redis-sentinel /etc/redis/sentinel.conf --daemonize no --supervised systemd
Type=notify
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=0755
# If you need to change max open file limit
# for example, when you change maxclient in configuration
# you can change the LimitNOFILE value below.
# See "man systemd.exec" for more information.
LimitNOFILE=10240
# Slave nodes on large system may take lot of time to start.
# You may need to uncomment TimeoutStartSec and TimeoutStopSec
# directives below and raise their value.
# See "man systemd.service" for more information.
#TimeoutStartSec=90s
#TimeoutStopSec=90s
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH
AmbientCapabilities=CAP_AUDIT_WRITE CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH
[Install]
WantedBy=multi-user.target
but still selinux blocks the execution of sudo command (/var/log/messages):
Jan 23 11:04:56 dm-ux02 redis-sentinel[6668]: sudo: PAM account management error: Permission denied
Jan 23 11:04:56 dm-ux02 redis-sentinel[6668]: sudo: unable to send audit message: Permission denied
Jan 23 11:04:56 dm-ux02 redis-sentinel[6668]: sudo: a password is required
(var/log/secure):
Jan 23 11:04:56 dm-ux02 sudo[6668]: PAM audit_log_acct_message() failed: Permission denied
Jan 23 11:04:56 dm-ux02 sudo[6668]: redis : PAM account management error: Permission denied ; PWD=/tmp ; USER=root ; COMMAND=/usr/bin/systemctl reload consul.service
the semanage permissive -a redis_t command does the trick (var/log/messages):
Jan 23 11:08:10 dm-ux02 systemd[1]: Started session-c6.scope - Session c6 of User root.
Jan 23 11:08:10 dm-ux02 systemd[1]: Reloading consul.service - "HashiCorp Consul - A service mesh solution"...
Jan 23 11:08:10 dm-ux02 systemd[1]: Reloaded consul.service - "HashiCorp Consul - A service mesh solution".
Jan 23 11:08:10 dm-ux02 systemd[1]: session-c6.scope: Deactivated successfully.
(var/log/secure):
Jan 23 11:08:10 dm-ux02 sudo[6704]: redis : PWD=/tmp ; USER=root ; COMMAND=/usr/bin/systemctl reload consul.service
Jan 23 11:08:10 dm-ux02 sudo[6704]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=986)
Jan 23 11:08:10 dm-ux02 sudo[6704]: pam_unix(sudo:session): session closed for user root
but the most disappointing of all is that selinux audit.log doesn't contain any error or denied action entries:
type=DAEMON_ROTATE msg=audit(1769155343.269:9673): op=rotate-logs auid=0 uid=0 ses=4294967295 pid=6655 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success�AUID="root" UID="root"
type=USER_MAC_POLICY_LOAD msg=audit(1769155416.691:283): pid=1135 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=load_policy lsm=selinux seqno=3 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
type=SERVICE_STOP msg=audit(1769155593.979:284): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=redis comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
type=MAC_POLICY_LOAD msg=audit(1769155654.604:285): auid=0 ses=1 lsm=selinux res=1�AUID="root"
type=SYSCALL msg=audit(1769155654.604:285): arch=c000003e syscall=1 success=yes exit=3379288 a0=4 a1=7f548d4c6010 a2=339058 a3=0 items=0 ppid=6688 pid=6692 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)�ARCH=x86_64 SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1769155654.604:285): proctitle="/sbin/load_policy"
type=USER_MAC_POLICY_LOAD msg=audit(1769155662.702:286): pid=1135 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=load_policy lsm=selinux seqno=4 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
type=SERVICE_START msg=audit(1769155662.807:287): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=redis comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
type=USER_ACCT msg=audit(1769155690.376:288): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:accounting grantors=pam_unix acct="redis" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_CMD msg=audit(1769155690.380:289): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='cwd="/tmp" cmd=73797374656D63746C2072656C6F616420636F6E73756C2E73657276696365 exe="/usr/bin/sudo" terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_REFR msg=audit(1769155690.381:290): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_START msg=audit(1769155690.427:291): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_END msg=audit(1769155690.499:292): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_DISP msg=audit(1769155690.500:293): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_ACCT msg=audit(1769155694.056:294): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:accounting grantors=pam_unix acct="redis" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_CMD msg=audit(1769155694.060:295): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='cwd="/tmp" cmd=73797374656D63746C2072656C6F616420636F6E73756C2E73657276696365 exe="/usr/bin/sudo" terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_REFR msg=audit(1769155694.061:296): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_START msg=audit(1769155694.107:297): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_END msg=audit(1769155694.173:298): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_DISP msg=audit(1769155694.173:299): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=SERVICE_START msg=audit(1769155696.128:300): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1769155696.128:301): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
type=USER_ACCT msg=audit(1769155707.085:302): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:accounting grantors=pam_unix acct="redis" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_CMD msg=audit(1769155707.089:303): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='cwd="/tmp" cmd=73797374656D63746C2072656C6F616420636F6E73756C2E73657276696365 exe="/usr/bin/sudo" terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_REFR msg=audit(1769155707.090:304): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_START msg=audit(1769155707.145:305): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_END msg=audit(1769155707.224:306): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_DISP msg=audit(1769155707.225:307): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
I'd like to complete the fine-grain configuration of selinux policy, so would appreciate any advice for further setup.
I've attached zip with all mentioned config and log files.