Re: [Nagios-users] Nagios and SELinx
On 03/13/2013 12:01 AM, Stephen H. Dawson wrote: Can Nagios run under SELinux? Yes it can, but the requirements to do so are close to permissive, since there's a plethora of programs (plugins) that run under the Nagios umbrella. In order for it to be possible, Nagios needs permissions to: * create any number of outgoing network sockets * create incoming network sockets (as some plugins work by setting up a listener and then sending a request) * create raw sockets (for ping) * execute suid root programs (for ping) * create, modify and write files, pipes and sockets on the local fs * connect to local sockets (for local database checks) * fork() and run without a tty * probably a bunch of other things It's quite a daunting task to get everything right with regards to selinux, which is why I guess noone's done it yet. -- Andreas Ericsson andreas.erics...@op5.se OP5 AB www.op5.se Tel: +46 8-230225 Fax: +46 8-230231 Considering the successes of the wars on alcohol, poverty, drugs and terror, I think we should give some serious thought to declaring war on peace. -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Nagios and SELinx
On 13/03/13 10:18, Andreas Ericsson wrote: On 03/13/2013 12:01 AM, Stephen H. Dawson wrote: Can Nagios run under SELinux? Yes it can, but the requirements to do so are close to permissive, since there's a plethora of programs (plugins) that run under the Nagios umbrella. In order for it to be possible, Nagios needs permissions to: * create any number of outgoing network sockets * create incoming network sockets (as some plugins work by setting up a listener and then sending a request) * create raw sockets (for ping) * execute suid root programs (for ping) * create, modify and write files, pipes and sockets on the local fs * connect to local sockets (for local database checks) * fork() and run without a tty * probably a bunch of other things It's quite a daunting task to get everything right with regards to selinux, which is why I guess noone's done it yet. We run Nagios under SELinux. It took a bit of tweaking, but now it works reliably. Put your Nagios server and monitored clients into Permissive mode, run all the plugins that you need, and capture the log output from /var/log/audit/audit.log. Simply pass the relevant lines from audit.log through the audit2allow tool, which will generate the relevant SELinux policy. It might take several iterations of this to capture all possible violations of SELinux policy but once you've caught them all you can easily generate policy files for Nagios, NRPE, NSCA and other plugins which can then be deployed and installed on all your machines. The end result is a fairly permissive SELinux policy *for Nagios* but still far better than not having SELinux at all. Cheers, Jonathan -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Nagios and SELinx
On 3/13/2013 9:51 AM, Jonathan Gazeley wrote: The end result is a fairly permissive SELinux policy *for Nagios* but still far better than not having SELinux at all. That's exactly what I did, too. If it helps you get jump started, I ended up with a .te file that looks like this. I don't run any of the popular Nagios add-ons except for Check_MK, so your mileage may vary. module mynagios 1.0; require { type initrc_tmp_t; type httpd_t; type httpd_sys_script_t; type initrc_t; type ping_t; type unlabeled_t; type usr_t; type var_lib_t; class association recvfrom; class dir { create setattr }; class fifo_file write; class fifo_file getattr; class file execute; class file execute_no_trans; class file { read write }; class sock_file write; class unix_stream_socket connectto; } #= httpd_t == allow httpd_t usr_t:file execute_no_trans; allow httpd_t usr_t:file execute; allow httpd_t usr_t:fifo_file getattr; allow httpd_t usr_t:fifo_file write; allow httpd_t initrc_t:unix_stream_socket connectto; allow httpd_t usr_t:sock_file write; allow httpd_t var_lib_t:dir { create setattr }; #= unlabeled_t == allow unlabeled_t self:association recvfrom; #= httpd_sys_script_t == allow httpd_sys_script_t usr_t:fifo_file write; allow httpd_sys_script_t usr_t:fifo_file getattr; #= ping_t == allow ping_t initrc_tmp_t:file { read write }; -- -Chris Nothing in this message is intended to make or accept an offer or to form a contract, except that an attachment that is an image of a contract bearing the signature of an officer of our company may be or become a contract. This message (including any attachments) is intended only for the use of the individual or entity to whom it is addressed. It may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, we hereby notify you that any use, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete this message immediately. Thank you. -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Nagios and SELinx
Good place to start…I'll try building a base level system and start with this and see if we can get this back in the stock RPM to help people out. I think I'd by more likely to use selinux on my nagios boxes if I didn't have to do as much to get it setup :) Dan On Mar 13, 2013, at 10:31 AM, Chris Beattie wrote: On 3/13/2013 9:51 AM, Jonathan Gazeley wrote: The end result is a fairly permissive SELinux policy *for Nagios* but still far better than not having SELinux at all. That's exactly what I did, too. If it helps you get jump started, I ended up with a .te file that looks like this. I don't run any of the popular Nagios add-ons except for Check_MK, so your mileage may vary. module mynagios 1.0; require { type initrc_tmp_t; type httpd_t; type httpd_sys_script_t; type initrc_t; type ping_t; type unlabeled_t; type usr_t; type var_lib_t; class association recvfrom; class dir { create setattr }; class fifo_file write; class fifo_file getattr; class file execute; class file execute_no_trans; class file { read write }; class sock_file write; class unix_stream_socket connectto; } #= httpd_t == allow httpd_t usr_t:file execute_no_trans; allow httpd_t usr_t:file execute; allow httpd_t usr_t:fifo_file getattr; allow httpd_t usr_t:fifo_file write; allow httpd_t initrc_t:unix_stream_socket connectto; allow httpd_t usr_t:sock_file write; allow httpd_t var_lib_t:dir { create setattr }; #= unlabeled_t == allow unlabeled_t self:association recvfrom; #= httpd_sys_script_t == allow httpd_sys_script_t usr_t:fifo_file write; allow httpd_sys_script_t usr_t:fifo_file getattr; #= ping_t == allow ping_t initrc_tmp_t:file { read write }; -- -Chris Nothing in this message is intended to make or accept an offer or to form a contract, except that an attachment that is an image of a contract bearing the signature of an officer of our company may be or become a contract. This message (including any attachments) is intended only for the use of the individual or entity to whom it is addressed. It may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, we hereby notify you that any use, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete this message immediately. Thank you. -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null