Nagios and SELinux issue

[Chris Beattie]

-----Original Message-----
Kenneth Holter wrote:
> We're running Nagios 3.0.3 on RHEL 5, and are having an issue with
> SELinux. A symptom I have noticed it that acknowledging a problem
> results in the following error:
>
>     /Error: Could not stat() command file
>     '/usr/local/nagios/var/rw/nagios.cmd' /
>
> We need to keep SELinux active on the server, so I'll have to
> configure
> it to allow for Nagios. Does anyone know what needs to be done to do
> this?

I kept SELinux in Enforcing mode on CentOS 5.2, so hopefully this will
be similar.

Create a file called "mynagios.te", and put this in there:

module mynagios 1.0;

require {
	type initrc_tmp_t;
	type httpd_sys_script_t;
	type usr_t;
	type ping_t;
	type httpd_t;
	type unlabeled_t;
	class file execute_no_trans;
	class association recvfrom;
	class file execute;
	class file { read write };
	class fifo_file write;
	class fifo_file getattr;
}

#============= httpd_t ==============
allow httpd_t usr_t:file execute_no_trans;
allow httpd_t usr_t:file execute;

#============= unlabeled_t ==============
allow unlabeled_t self:association recvfrom;

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t usr_t:fifo_file write;
allow httpd_sys_script_t usr_t:fifo_file getattr;

#============= ping_t ==============
allow ping_t initrc_tmp_t:file { read write };


To arrive at these settings, I ran Nagios with Enforcing turned on, and
clicked on all the links in the side bar, and tried to do stuff like
send acknowledgements.  You can use audit2allow to generate the type
enforcement file above from the audit.log file.  I kept finding things
I'd missed, so the above is the result of several iterations of
audit2allow and merging copies of their output into one file:

#audit2allow -m mynagios -l -i audit.log > mynagios.te
(Make a backup copy of the .te file somewhere in case you miss something
the first time around)
#gedit mynagios.te (to merge in the settings from the previous .te
file's backup)
#checkmodule -M -m -o mynagios.mod mynagios.te 
#semodule_package -o mynagios.pp -m mynagios.mod 
#semodule -i mynagios.pp

You can verify your mynagios policy package has been installed with:
#semodule -l

There was already a Nagios policy package installed on CentOS by
default, but it didn't work for me.  Maybe it was because I installed
Nagios from source instead of using a package.  Anyway, that's why I
called it mynagios, so that it didn't collide with the provided Nagios
package.


Nothing in this message is intended to make or accept and offer or to form a contract, except that an attachment that is an image of a contract bearing the signature of an officer of our company may be or become a contract. This message (including any attachments) is intended only for the use of the individual or entity to whom it is addressed. It may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, we hereby notify you that any use, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete this message immediately
 .

Thank you.

------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null