Nagios & SELinux
Jaimie Livingston
jaimie at onebutterfly.com
Wed Oct 31 15:52:59 CET 2007
Hi list
I see that a lot of folks have problems running Nagios with SELinux in Enforcing mode.
Try this profile: It should work with Nagios 2.x and NagiosQL.
If it works - great. If it doesn't, try building your own by trying the following process.
audit2allow -m local -l -i /var/log/audit/audit.log > local.te
mv local.te nagios.te
checkmodule -M -m -o nagios.mod nagios.te
semodule_package -o nagios.pp -m nagios.mod
semodule -i nagios.pp
Here's the profile I built on a clean install of Nagios 2.9, with NagiosQL on a CentOS 5 system, SELinux in Enforcing mode:
<begin>
module local 1.0;
require {
class chr_file read;
class dir { getattr search };
class fifo_file { getattr read write };
class file { execute read write };
class process { sigkill signal };
type httpd_sys_content_t;
type httpd_sys_script_rw_t;
type httpd_sys_script_t;
type httpd_t;
type initrc_var_run_t;
type ls_exec_t;
type nagios_cgi_t;
type nagios_etc_t;
type nagios_t;
type ping_t;
type prelink_t;
type public_content_t;
type urandom_device_t;
type user_home_t;
type useradd_t;
type usr_t;
type var_log_t;
role system_r;
};
allow httpd_sys_script_t nagios_etc_t:dir search;
allow httpd_sys_script_t httpd_sys_content_t:fifo_file getattr;
allow httpd_sys_script_t httpd_sys_content_t:fifo_file write;
allow httpd_sys_script_t httpd_t:file read;
allow httpd_sys_script_t public_content_t:fifo_file getattr;
allow httpd_sys_script_t usr_t:fifo_file getattr;
allow httpd_t httpd_sys_content_t:fifo_file getattr;
allow httpd_t httpd_sys_content_t:fifo_file write;
allow httpd_t nagios_cgi_t:process { sigkill signal };
allow httpd_t user_home_t:dir { getattr search };
allow httpd_t usr_t:file execute;
allow nagios_cgi_t httpd_sys_content_t:dir search;
allow nagios_t httpd_sys_script_rw_t:dir search;
allow nagios_t initrc_var_run_t:file write;
allow nagios_t urandom_device_t:chr_file read;
allow ping_t httpd_sys_content_t:fifo_file read;
allow ping_t public_content_t:fifo_file read;
allow ping_t usr_t:fifo_file read;
allow ping_t usr_t:file { read write };
allow prelink_t httpd_sys_content_t:file read;
allow useradd_t var_log_t:file { read write };
<end>
If you see a way to make this better, or more secure without breaking Nagios, let me know...
- Jaimie Livingston (jaimielives)
-----------------------
The mailing list archive is found here:
http://www.nagiosexchange.org/nagios-users.34.0.html
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list