Nagios & SELinux
Chris Beattie
cbeattie at geninfo.com
Mon Feb 2 17:09:28 CET 2009
I compiled Nagios 3 from source on CentOS 5.2 with SELinux set to Enforcing. I installed Nagios following the Fedora Quickstart guide. SELinux will prevent just about everything in Nagios' web page from running. It was an iterative process to get everything allowed, since I kept finding things I'd missed the previous time through these steps. CentOS 5.2 (and RHEL, I assume) had some SELinux tuning tools installed, but I don't know if they're available on other distros.
1. Click on the links in Nagios' side bar, try to send acknowlegements, etc.
2. Use the SE Troubleshoot Browser to take a look at the audit.log file and clean out anything not caused by Nagios.
3. If this isn't the first time through the steps, make a backup copy of your type enforcement settings (.te) file.
4. Run: #audit2allow -m mynagios -l -i audit.log > mynagios.te
5. If this isn't the first time through the steps, use a text editor to merge the contents of your current and previous .te files.
6. Run: #checkmodule -M -m -o mynagios.mod mynagios.te
7. Run: #semodule_package -o mynagios.pp -m mynagios.mod
8. Run: #semodule -i mynagios.pp
9. Verify your policy package has been installed by running #semodule -i
10. Return to step 1 until SELinux lets Nagios do everything Nagios needs to do.
Keeping a backup of your type enforcement file is necessary because if Nagios is allowed to do some things, they won't continue creating entries in audit.log, and audit2allow won't pick them up the next time around. You want your .te file to accumulate all the necessary settings.
There was a Nagios policy package installed in CentOS already, but it didn't work for me. When you create your own SELinux policy packages, give your package a unique name. I think that will prevent it from being clobbered if the stock package gets updated by your distribution's maintainer.
________________________________
From: Stephen H. Dawson [mailto:service at shdawson.com]
Sent: Sun 2/1/2009 8:36 AM
To: nagios-users at lists.sourceforge.net
Subject: [Nagios-users] Nagios & SELinux
Good Morning,
We are going with SELinux on some of our servers. We are looking for anyone that uses SELinux on their Nagios machines. Preferably, best practices & what not. Any guidance would be most appreciated.
Thank You,
Stephen H. Dawson
Nothing in this message is intended to make or accept and offer or to form a contract, except that an attachment that is an image of a contract bearing the signature of an officer of our company may be or become a contract. This message (including any attachments) is intended only for the use of the individual or entity to whom it is addressed. It may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, we hereby notify you that any use, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete this message immediately.
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20090202/fbe22b87/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list