Nagios & SELinux

Jaimie Livingston jaimie at onebutterfly.com
Wed Oct 31 15:52:59 CET 2007

Previous message: Log rotation with Logrotate
Next message: How to monitor temp on Cisco 7200's?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi list

I see that a lot of folks have problems running Nagios with SELinux in Enforcing mode.

Try this profile: It should work with Nagios 2.x and NagiosQL.
If it works - great. If it doesn't, try building your own by trying the following process.

audit2allow -m local -l -i /var/log/audit/audit.log  > local.te
mv local.te nagios.te
checkmodule -M -m -o nagios.mod nagios.te
semodule_package -o nagios.pp -m nagios.mod
semodule -i nagios.pp

Here's the profile I built on a clean install of Nagios 2.9, with NagiosQL on a CentOS 5 system, SELinux in Enforcing mode:

<begin>
module local 1.0;

require {
        class chr_file read;
        class dir { getattr search };
        class fifo_file { getattr read write };
        class file { execute read write };
        class process { sigkill signal };
        type httpd_sys_content_t;
        type httpd_sys_script_rw_t;
        type httpd_sys_script_t;
        type httpd_t;
        type initrc_var_run_t;
        type ls_exec_t;
        type nagios_cgi_t;
        type nagios_etc_t;
        type nagios_t;
        type ping_t;
        type prelink_t;
        type public_content_t;
        type urandom_device_t;
        type user_home_t;
        type useradd_t;
        type usr_t;
        type var_log_t;
        role system_r;
};

allow httpd_sys_script_t nagios_etc_t:dir search;
allow httpd_sys_script_t httpd_sys_content_t:fifo_file getattr;
allow httpd_sys_script_t httpd_sys_content_t:fifo_file write;
allow httpd_sys_script_t httpd_t:file read;
allow httpd_sys_script_t public_content_t:fifo_file getattr;
allow httpd_sys_script_t usr_t:fifo_file getattr;
allow httpd_t httpd_sys_content_t:fifo_file getattr;
allow httpd_t httpd_sys_content_t:fifo_file write;
allow httpd_t nagios_cgi_t:process { sigkill signal };
allow httpd_t user_home_t:dir { getattr search };
allow httpd_t usr_t:file execute;
allow nagios_cgi_t httpd_sys_content_t:dir search;
allow nagios_t httpd_sys_script_rw_t:dir search;
allow nagios_t initrc_var_run_t:file write;
allow nagios_t urandom_device_t:chr_file read;
allow ping_t httpd_sys_content_t:fifo_file read;
allow ping_t public_content_t:fifo_file read;
allow ping_t usr_t:fifo_file read;
allow ping_t usr_t:file { read write };
allow prelink_t httpd_sys_content_t:file read;
allow useradd_t var_log_t:file { read write };
<end>

If you see a way to make this better, or more secure without breaking Nagios, let me know...


- Jaimie Livingston (jaimielives)

-----------------------
The mailing list archive is found here:
http://www.nagiosexchange.org/nagios-users.34.0.html
				

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Log rotation with Logrotate
Next message: How to monitor temp on Cisco 7200's?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list