Nagios and SELinx

Jonathan Gazeley Jonathan.Gazeley at bristol.ac.uk
Wed Mar 13 14:51:10 CET 2013

Previous message: Nagios and SELinx
Next message: Nagios and SELinx
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 13/03/13 10:18, Andreas Ericsson wrote:
> On 03/13/2013 12:01 AM, Stephen H. Dawson wrote:
>> Can Nagios run under SELinux?
>>
> Yes it can, but the requirements to do so are close to "permissive",
> since there's a plethora of programs (plugins) that run under the
> Nagios umbrella.
>
> In order for it to be possible, Nagios needs permissions to:
> * create any number of outgoing network sockets
> * create incoming network sockets (as some plugins work by setting
>    up a listener and then sending a request)
> * create raw sockets (for ping)
> * execute suid root programs (for ping)
> * create, modify and write files, pipes and sockets on the local fs
> * connect to local sockets (for local database checks)
> * fork() and run without a tty
> * probably a bunch of other things
>
> It's quite a daunting task to get everything right with regards to
> selinux, which is why I guess noone's done it yet.
>

We run Nagios under SELinux. It took a bit of tweaking, but now it works 
reliably.

Put your Nagios server and monitored clients into Permissive mode, run 
all the plugins that you need, and capture the log output from 
/var/log/audit/audit.log. Simply pass the relevant lines from audit.log 
through the audit2allow tool, which will generate the relevant SELinux 
policy. It might take several iterations of this to capture all possible 
violations of SELinux policy but once you've caught them all you can 
easily generate policy files for Nagios, NRPE, NSCA and other plugins 
which can then be deployed and installed on all your machines.

The end result is a fairly permissive SELinux policy *for Nagios* but 
still far better than not having SELinux at all.

Cheers,
Jonathan

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Nagios and SELinx
Next message: Nagios and SELinx
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list