olivetalks » SELinux

Setting up UPS on CentOS 5.2 with SELinux, part 2

ZoltarStark — Sat, 21 Feb 2009 06:00:10 +0000

In the previous post I have described how to setup monitoring of UPS battery status with Network UPS Tools so your computer can shut down gracefully in case of power loss. At the end we configured a CGI script to allow checking the UPS status via a web browser. Unfortunately this didn’t work very well because of a missing SELinux policy. This post will explain how to install the required policy module.

Step one: Define the policy module

To define the policy module for nut CGI create a text file nutcgi.te with the following content:

module nutcgi 1.0.8;

require {
type unlabeled_t;
type xend_var_log_t;
type httpd_sys_script_exec_t;
type default_t;
type procmail_t;
type ping_t;
type httpd_t;
type httpd_sys_script_t;
type port_t;
class tcp_socket { write name_connect connect shutdown read create };
class lnk_file { read getattr };
class file append;
class dir search;
class packet { recv send };
}

#============= httpd_sys_script_t ==============
# src="httpd_sys_script_t" tgt="port_t" class="tcp_socket", perms="name_connect"
# comm="upsstats.cgi" exe="" path=""
allow httpd_sys_script_t port_t:tcp_socket name_connect;
# src="httpd_sys_script_t" tgt="httpd_sys_script_t" class="tcp_socket", perms="{ write read create connect shutdown }"
# comm="upsstats.cgi" exe="" path=""
allow httpd_sys_script_t self:tcp_socket { write read create connect shutdown };
# src="httpd_sys_script_t" tgt="unlabeled_t" class="packet", perms="{ recv send }"
# comm="upsstats.cgi" exe="" path=""
allow httpd_sys_script_t unlabeled_t:packet { recv send };

#============= httpd_t ==============
# src="httpd_t" tgt="httpd_sys_script_exec_t" class="lnk_file", perms="{ read getattr }"
# comm="httpd" exe="" path=""
allow httpd_t httpd_sys_script_exec_t:lnk_file { read getattr };

Save the file somewhere.

Step two : Compile the policy module

Execute the command:

checkmodule -M -m nutcgi.te -o nutcgi.mod

This will generate a binary file representing the policy module.

Step three: Create a SELinux policy module package

Execute the command:

semodule_package -o nutcgi.pp -m nutcgi.mod

This will create a SELinux policy module package which can then be installed.

Step four: Install the SELinux policy module package

Execute the command:

semodule -i nutcgi.pp

Now the policy module is installed. You can refresh the web page with UPS status in your web browser http://localhost/cgi-bin/upsstats.cgi

You can also verify that access to this web page from other machines works as intended. SELinux policy module installation is persistent – you don’t have to do it again if the system reboots.

Setting up UPS on CentOS 5.2 with SELinux, part 1

ZoltarStark — Thu, 19 Feb 2009 07:00:57 +0000

My home fileserver is connected to a UPS in order to be able to shut down properly when there’s a problem with the electricity supply. Of course, just connecting a computer to a UPS won’t help if the power is cut off for more than a few minutes since the machine won’t turn itself off before the battery runs out of juice. To guarantee that the OS is aware of the current state of the battery some software needs to be installed and configured. I use for that purpose Network UPS Tools. If your system is running with SELinux enabled and you want to enable checking of the UPS via a web browser then you also need to install an appropriate SELinux policy module.

Let’s start with the installation.

First things first – make sure the UPS is running and connected to the computer. Both power and a serial cable of some kind should be connected. The serial connection can be either via RS-232 or USB.

To install the software execute the following command:

# yum install nut nut-client nut-cgi

or if you’re running a 64 bit OS and don’t want 32-bit packages to be installed:

# yum install nut nut-client.x86_64 nut-cgi

Next step: Basic configuration

After the software is installed we need to configure it. Fire up your favourite text editor and open these files:

/etc/ups/ups.conf
/etc/ups/upsd.users
/etc/ups/upsmon.conf
/etc/ups/hosts.conf (only if you have installed nut-cgi)

In /etc/ups/ups.conf add at the end the following section:

user = nut # execute the UPS driver as user nut - otherwise the upsd program won't be able to connect to the device

[pw3105]              # name of the UPS device
driver = bcmxcp_usb # driver used to access the UPS device
port = auto         # serial port where the UPS is connected, bcmxcp_usb driver allows to enter 'auto' here
shutdown_delay = 0    # additional parameter supported by bcmxcp_usb driver, see 'man bcmxcp_usb'

The comments explain what is the purpose of each line. More details can be found in man page for ups.conf. The actual name of the UPS device and parameters for it depend on the UPS model you’re using. I have Powerware 3105 UPS which uses the bcmxcp_usb driver.

Second file to edit is /etc/ups/upsd.users where you should append these lines:

[server]                 # create a user 'server'
password = ups             # with password 'ups'
allowfrom = localhost      # allowing access only from this machine
instcmds = ALL             # user can execute all instant commands
upsmon master            # add actions necessary for a 'upsmon' process to work

Again the purpose of each line is explained in the comments. More information as usual in man page for upsd.users.

If you use different values in /etc/ups/upsd.users you have to make sure that you’ll use the same values also in the next file we’re going to edit, which is /etc/ups/upsmon.conf. Here add these lines at the end:

FINALDELAY 0                                     # don't wait before shutting down, allowed values depend on the UPS model
RUN_AS_USER nut                                  # don't run as root to avoid security issues
MONITOR pw3105@localhost 1 server ups master     # which UPS to monitor

The last line requires a bit of explanation:

pw3105@localhost is the identifier of the UPS we want to monitor. pw3105 is the same name we have used before in /etc/ups/ups.conf so make sure it matches. @localhost indicates that we’re monitoring a UPS connected directly to the machine on which upsmon program is running. upsmon can also monitor UPSes connected to other machines on the network.
1 indicates that this particular UPS feeds 1 power supply on this system. That’s the usual value for this parameter.
server and ups are the user name and password we have defined previously in /etc/ups/upsd.users
master indicates relationship with upsd daemon and again must match what is defined in /etc/ups/upsd.users

More explanations can be found in man page for upsmon.conf.

After these modifications verify the permissions and ownership of the configuration files matches this:

# ll /etc/ups/ups.conf /etc/ups/upsd.users /etc/ups/upsmon.conf
-rw-r----- 1 root nut 3735 Jan 22 00:33 /etc/ups/ups.conf
-rw-r----- 1 root nut 2307 Jan 22 00:08 /etc/ups/upsd.users
-rw-r----- 1 root nut 11194 Jan 22 00:09 /etc/ups/upsmon.conf

and then you can start the software:

# service ups start

You should see this output:

Starting UPS driver controller: [ OK ]
Starting upsd: [ OK ]
Starting UPS monitor (master): [ OK ]

And make sure that UPS software will start automatically after system reboots:

# chkconfig nut on

Verify that the UPS is accessible by executing:

# upsc pw3105@localhost

which should print something like this:

driver.name: bcmxcp_usb
driver.parameter.pollinterval: 2
driver.parameter.port: auto
driver.parameter.shutdown_delay: 0
driver.version: 2.2.0-
driver.version.internal: 0.11
output.phases: 1
ups.alarm:
ups.firmware: Cont:00.80 Inve:00.60
ups.model: POWERWARE UPS 500VA
ups.power.nominal: 500
ups.serial:
ups.status: OL
ups.voltage.nominal: 230

The actual values depend on the UPS model.

At this point the system is configured to automatically shut down when the UPS will indicate that the battery is low on power. You should test this scenario on your system to make sure that it will work when you really need it.

Last step: Configure web access to upsmon

The last step is to configure monitoring of UPS status via a web browser. We have already installed nut-cgi package which contains the necessary CGI scripts. This package includes a file /var/www/nut-cgi-bin/upsstats.cgi which you should copy to /var/www/cgi-bin/ directory:

# cp /var/www/nut-cgi-bin/upsstats.cgi /var/www/cgi-bin/

After that modify file /etc/ups/hosts.conf by appending this line:

MONITOR pw3105@localhost "Local UPS"

As before pw3105@localhost is the name of UPS to monitor. “Local UPS” defines the name which will appear in the web page.

Now start your web server if it’s not running yet and (optionally) configure the firewall to allow access to port 80 from other machines.

You can now check status of the UPS via a web browser by typing the following in the address bar http://localhost/cgi-bin/upsstats.cgi

Unfortunately if you’re running with SELinux enabled then you won’t see much:

The reason for this is a missing SELinux policy module. Because of that you’ll see errors in /var/log/audit/audit.log and the web page won’t provide any useful information. How to install the missing SELinux policy module? This will be described in the follow up post coming soon.

olivetalks » SELinux

Setting up UPS on CentOS 5.2 with SELinux, part 2

Related post(s)

Setting up UPS on CentOS 5.2 with SELinux, part 1

Related post(s)