On 13/03/13 10:18, Andreas Ericsson wrote: > On 03/13/2013 12:01 AM, Stephen H. Dawson wrote: >> Can Nagios run under SELinux? >> > Yes it can, but the requirements to do so are close to "permissive", > since there's a plethora of programs (plugins) that run under the > Nagios umbrella. > > In order for it to be possible, Nagios needs permissions to: > * create any number of outgoing network sockets > * create incoming network sockets (as some plugins work by setting > up a listener and then sending a request) > * create raw sockets (for ping) > * execute suid root programs (for ping) > * create, modify and write files, pipes and sockets on the local fs > * connect to local sockets (for local database checks) > * fork() and run without a tty > * probably a bunch of other things > > It's quite a daunting task to get everything right with regards to > selinux, which is why I guess noone's done it yet. >
We run Nagios under SELinux. It took a bit of tweaking, but now it works reliably. Put your Nagios server and monitored clients into Permissive mode, run all the plugins that you need, and capture the log output from /var/log/audit/audit.log. Simply pass the relevant lines from audit.log through the audit2allow tool, which will generate the relevant SELinux policy. It might take several iterations of this to capture all possible violations of SELinux policy but once you've caught them all you can easily generate policy files for Nagios, NRPE, NSCA and other plugins which can then be deployed and installed on all your machines. The end result is a fairly permissive SELinux policy *for Nagios* but still far better than not having SELinux at all. Cheers, Jonathan ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null