<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000000"> Arno Lehmann wrote: <blockquote cite="mid45B927D4.9050904@its-lehmann.de" type="cite"> <pre wrap="">Hi, On 1/25/2007 10:44 PM, Petersen, Mark wrote: </pre> <blockquote type="cite"> <pre wrap="">Can you move the cgi's (or possibly hardlink them) to someplace that apache will let them run (say /var/www/nagios2/cgi-bin)? Otherwise you might need some sort of a compile option to just install them there. Someone more familiar with the build process might be able to help here. </pre> </blockquote> <pre wrap=""> That would not help, given a tightly locked SELinux system, I believe. </pre> <blockquote type="cite"> <pre wrap="">There's also ways to hack apache (may require recompile) to allow this, but I'm under the impression from these two posts that SELinux would disallow those changes to take effect? </pre> </blockquote> <pre wrap=""> The point is to configure SELinux to allow whatever is necessary. This will not only be apache and the cgis, but also the monitoring plugins and, of course, nagios itself. I've never used SELinux, but AFAIK you can run a system, log all the activities, review that log to make sure everything is ok, and convert that in a ruleset which allows just what you observed. This will not work where programs do things that were never observed. Just think about event handler scripts that never got triggered in your observation phase. In short, you will need someone who actually knows that SELinux stuff and has access to the machine in question. A security oriented person would hopefully never install SELinux rules on such a machine that he did not review or even create himself. Sounds like that servers admin :-) Arno </pre> <blockquote type="cite"> <pre wrap="">-----Original Message----- From: <a class="moz-txt-link-abbreviated" href="mailto:nagios-users-bounces@lists.sourceforge.net">nagios-users-bounces@lists.sourceforge.net</a> [<a class="moz-txt-link-freetext" href="mailto:nagios-users-bounces@lists.sourceforge.net">mailto:nagios-users-bounces@lists.sourceforge.net</a>] On Behalf Of Jiann-Ming Su Sent: Thursday, January 25, 2007 2:27 PM To: <a class="moz-txt-link-abbreviated" href="mailto:nagios-users@lists.sourceforge.net">nagios-users@lists.sourceforge.net</a> Subject: [Nagios-users] nagios and selinux? What's the proper way to configure nagios and selinux to work together? I've run into the same problem as described here: <a class="moz-txt-link-freetext" href="http://www.redhat.com/archives/fedora-list/2005-September/msg02007.html">http://www.redhat.com/archives/fedora-list/2005-September/msg02007.html</a> Setting selinux to permissive got my test nagios going. But, now I need to migrate to a production system with selinux set to enforcing and type set to targeted. Thanks for any tips. </pre> </blockquote> <pre wrap=""> </pre> </blockquote> Arno is correct. You need to have someone familiar with security contexts AND understands the website config... Go to the apache web site and look in the documentation for "Security Contexts For CGI Scripts" for an overview and examples. There is a pretty definitive explanation of the topic. Any examples I could give you would almost certainly BREAK your security model. HINT - The relevant command is "<tt>chcon</tt>" and the relevant flag is "httpd_sys_script_exec_t". </body> </html>