I compiled Nagios 3 from source on CentOS 5.2 with SELinux set to Enforcing. I
installed Nagios following the Fedora Quickstart guide. SELinux will prevent
just about everything in Nagios' web page from running. It was an iterative
process to get everything allowed, since I kept finding things I'd missed the
previous time through these steps. CentOS 5.2 (and RHEL, I assume) had some
SELinux tuning tools installed, but I don't know if they're available on other
distros.
1. Click on the links in Nagios' side bar, try to send acknowlegements, etc.
2. Use the SE Troubleshoot Browser to take a look at the audit.log file and
clean out anything not caused by Nagios.
3. If this isn't the first time through the steps, make a backup copy of your
type enforcement settings (.te) file.
4. Run: #audit2allow -m mynagios -l -i audit.log > mynagios.te
5. If this isn't the first time through the steps, use a text editor to merge
the contents of your current and previous .te files.
6. Run: #checkmodule -M -m -o mynagios.mod mynagios.te
7. Run: #semodule_package -o mynagios.pp -m mynagios.mod
8. Run: #semodule -i mynagios.pp
9. Verify your policy package has been installed by running #semodule -i
10. Return to step 1 until SELinux lets Nagios do everything Nagios needs to do.
Keeping a backup of your type enforcement file is necessary because if Nagios
is allowed to do some things, they won't continue creating entries in
audit.log, and audit2allow won't pick them up the next time around. You want
your .te file to accumulate all the necessary settings.
There was a Nagios policy package installed in CentOS already, but it didn't
work for me. When you create your own SELinux policy packages, give your
package a unique name. I think that will prevent it from being clobbered if
the stock package gets updated by your distribution's maintainer.
________________________________
From: Stephen H. Dawson [mailto:serv...@shdawson.com]
Sent: Sun 2/1/2009 8:36 AM
To: nagios-users@lists.sourceforge.net
Subject: [Nagios-users] Nagios & SELinux
Good Morning,
We are going with SELinux on some of our servers. We are looking for anyone
that uses SELinux on their Nagios machines. Preferably, best practices & what
not. Any guidance would be most appreciated.
Thank You,
Stephen H. Dawson
Nothing in this message is intended to make or accept and offer or to form a
contract, except that an attachment that is an image of a contract bearing the
signature of an officer of our company may be or become a contract. This
message (including any attachments) is intended only for the use of the
individual or entity to whom it is addressed. It may contain information that
is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product. If
you are not the intended recipient, we hereby notify you that any use,
dissemination, distribution, or copying of this message is strictly prohibited.
If you have received this message in error, please notify us immediately by
telephone and delete this message immediately.
Thank you.
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
