nagios and selinux?

Arno Lehmann al at its-lehmann.de
Thu Jan 25 22:57:41 CET 2007

Previous message: nagios and selinux?
Next message: nagios and selinux?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On 1/25/2007 10:44 PM, Petersen, Mark wrote:
> Can you move the cgi's (or possibly hardlink them) to someplace that
> apache will let them run (say /var/www/nagios2/cgi-bin)?  Otherwise you
> might need some sort of a compile option to just install them there.
> Someone more familiar with the build process might be able to help here.

That would not help, given a tightly locked SELinux system, I believe.

> There's also ways to hack apache (may require recompile) to allow this,
> but I'm under the impression from these two posts that SELinux would
> disallow those changes to take effect?

The point is to configure SELinux to allow whatever is necessary. This 
will not only be apache and the cgis, but also the monitoring plugins 
and, of course, nagios itself.

I've never used SELinux, but AFAIK you can run a system, log all the 
activities, review that log to make sure everything is ok, and convert 
that in a ruleset which allows just what you observed.

This will not work where programs do things that were never observed. 
Just think about event handler scripts that never got triggered in your 
observation phase.

In short, you will need someone who actually knows that SELinux stuff 
and has access to the machine in question. A security oriented person 
would hopefully never install SELinux rules on such a machine that he 
did not review or even create himself.

Sounds like that servers admin :-)

Arno

> 
> -----Original Message-----
> From: nagios-users-bounces at lists.sourceforge.net
> [mailto:nagios-users-bounces at lists.sourceforge.net] On Behalf Of
> Jiann-Ming Su
> Sent: Thursday, January 25, 2007 2:27 PM
> To: nagios-users at lists.sourceforge.net
> Subject: [Nagios-users] nagios and selinux?
> 
> What's the proper way to configure nagios and selinux to work
> together?  I've run into the same problem as described here:
> 
>  
> http://www.redhat.com/archives/fedora-list/2005-September/msg02007.html
> 
> Setting selinux to permissive got my test nagios going.  But, now I
> need to migrate to a production system with selinux set to enforcing
> and type set to targeted.  Thanks for any tips.
> 

-- 
IT-Service Lehmann                    al at its-lehmann.de
Arno Lehmann                  http://www.its-lehmann.de

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: nagios and selinux?
Next message: nagios and selinux?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list