Nagios and SELinx

Daniel Wittenberg daniel.wittenberg.r0ko at statefarm.com
Wed Mar 13 18:26:21 CET 2013


Good place to start…I'll try building a base level system and start with this and see if we can get this back in the stock RPM to help people out.  I think I'd by more likely to use selinux on my nagios boxes if I didn't have to do as much to get it setup :)

Dan


On Mar 13, 2013, at 10:31 AM, Chris Beattie wrote:

> On 3/13/2013 9:51 AM, Jonathan Gazeley wrote:
>> The end result is a fairly permissive SELinux policy *for Nagios* but
>> still far better than not having SELinux at all.
> 
> That's exactly what I did, too.  If it helps you get jump started, I 
> ended up with a .te file that looks like this.  I don't run any of the 
> popular Nagios add-ons except for Check_MK, so your mileage may vary.
> 
> 	module mynagios 1.0;
> 
> 	require {
> 		type initrc_tmp_t;
> 		type httpd_t;
> 		type httpd_sys_script_t;
> 		type initrc_t;
> 		type ping_t;
> 		type unlabeled_t;
> 		type usr_t;
> 		type var_lib_t;
> 		class association recvfrom;
> 		class dir { create setattr };
> 		class fifo_file write;
> 		class fifo_file getattr;
> 		class file execute;
> 		class file execute_no_trans;
> 		class file { read write };
> 		class sock_file write;
> 		class unix_stream_socket connectto;
> 	}
> 
> 	#============= httpd_t ==============
> 	allow httpd_t usr_t:file execute_no_trans;
> 	allow httpd_t usr_t:file execute;
> 	allow httpd_t usr_t:fifo_file getattr;
> 	allow httpd_t usr_t:fifo_file write;
> 	allow httpd_t initrc_t:unix_stream_socket connectto;
> 	allow httpd_t usr_t:sock_file write;
> 	allow httpd_t var_lib_t:dir { create setattr };
> 	#============= unlabeled_t ==============
> 	allow unlabeled_t self:association recvfrom;
> 	#============= httpd_sys_script_t ==============
> 	allow httpd_sys_script_t usr_t:fifo_file write;
> 	allow httpd_sys_script_t usr_t:fifo_file getattr;
> 	#============= ping_t ==============
> 	allow ping_t initrc_tmp_t:file { read write };
> -- 
> -Chris
> 
> 
> Nothing in this message is intended to make or accept an offer or to form a contract, except that an attachment that is an image of a contract bearing the signature of an officer of our company may be or become a contract. This message (including any attachments) is intended only for the use of the individual or entity to whom it is addressed. It may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, we hereby notify you that any use, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete this message immediately.
> 
> Thank you.
> 
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
> ::: Messages without supporting info will risk being sent to /dev/null


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list