Re: [Nagios-users] Nagios SELinux
I compiled Nagios 3 from source on CentOS 5.2 with SELinux set to Enforcing. I installed Nagios following the Fedora Quickstart guide. SELinux will prevent just about everything in Nagios' web page from running. It was an iterative process to get everything allowed, since I kept finding things I'd missed the previous time through these steps. CentOS 5.2 (and RHEL, I assume) had some SELinux tuning tools installed, but I don't know if they're available on other distros. 1. Click on the links in Nagios' side bar, try to send acknowlegements, etc. 2. Use the SE Troubleshoot Browser to take a look at the audit.log file and clean out anything not caused by Nagios. 3. If this isn't the first time through the steps, make a backup copy of your type enforcement settings (.te) file. 4. Run: #audit2allow -m mynagios -l -i audit.log mynagios.te 5. If this isn't the first time through the steps, use a text editor to merge the contents of your current and previous .te files. 6. Run: #checkmodule -M -m -o mynagios.mod mynagios.te 7. Run: #semodule_package -o mynagios.pp -m mynagios.mod 8. Run: #semodule -i mynagios.pp 9. Verify your policy package has been installed by running #semodule -i 10. Return to step 1 until SELinux lets Nagios do everything Nagios needs to do. Keeping a backup of your type enforcement file is necessary because if Nagios is allowed to do some things, they won't continue creating entries in audit.log, and audit2allow won't pick them up the next time around. You want your .te file to accumulate all the necessary settings. There was a Nagios policy package installed in CentOS already, but it didn't work for me. When you create your own SELinux policy packages, give your package a unique name. I think that will prevent it from being clobbered if the stock package gets updated by your distribution's maintainer. From: Stephen H. Dawson [mailto:serv...@shdawson.com] Sent: Sun 2/1/2009 8:36 AM To: nagios-users@lists.sourceforge.net Subject: [Nagios-users] Nagios SELinux Good Morning, We are going with SELinux on some of our servers. We are looking for anyone that uses SELinux on their Nagios machines. Preferably, best practices what not. Any guidance would be most appreciated. Thank You, Stephen H. Dawson Nothing in this message is intended to make or accept and offer or to form a contract, except that an attachment that is an image of a contract bearing the signature of an officer of our company may be or become a contract. This message (including any attachments) is intended only for the use of the individual or entity to whom it is addressed. It may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, we hereby notify you that any use, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete this message immediately. Thank you. -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] Nagios SELinux
Good Morning, We are going with SELinux on some of our servers. We are looking for anyone that uses SELinux on their Nagios machines. Preferably, best practices what not. Any guidance would be most appreciated. Thank You, Stephen H. Dawson -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] Nagios SELinux
Hi list
I see that a lot of folks have problems running Nagios with SELinux in
Enforcing mode.
Try this profile: It should work with Nagios 2.x and NagiosQL.
If it works - great. If it doesn't, try building your own by trying the
following process.
audit2allow -m local -l -i /var/log/audit/audit.log local.te
mv local.te nagios.te
checkmodule -M -m -o nagios.mod nagios.te
semodule_package -o nagios.pp -m nagios.mod
semodule -i nagios.pp
Here's the profile I built on a clean install of Nagios 2.9, with NagiosQL on a
CentOS 5 system, SELinux in Enforcing mode:
begin
module local 1.0;
require {
class chr_file read;
class dir { getattr search };
class fifo_file { getattr read write };
class file { execute read write };
class process { sigkill signal };
type httpd_sys_content_t;
type httpd_sys_script_rw_t;
type httpd_sys_script_t;
type httpd_t;
type initrc_var_run_t;
type ls_exec_t;
type nagios_cgi_t;
type nagios_etc_t;
type nagios_t;
type ping_t;
type prelink_t;
type public_content_t;
type urandom_device_t;
type user_home_t;
type useradd_t;
type usr_t;
type var_log_t;
role system_r;
};
allow httpd_sys_script_t nagios_etc_t:dir search;
allow httpd_sys_script_t httpd_sys_content_t:fifo_file getattr;
allow httpd_sys_script_t httpd_sys_content_t:fifo_file write;
allow httpd_sys_script_t httpd_t:file read;
allow httpd_sys_script_t public_content_t:fifo_file getattr;
allow httpd_sys_script_t usr_t:fifo_file getattr;
allow httpd_t httpd_sys_content_t:fifo_file getattr;
allow httpd_t httpd_sys_content_t:fifo_file write;
allow httpd_t nagios_cgi_t:process { sigkill signal };
allow httpd_t user_home_t:dir { getattr search };
allow httpd_t usr_t:file execute;
allow nagios_cgi_t httpd_sys_content_t:dir search;
allow nagios_t httpd_sys_script_rw_t:dir search;
allow nagios_t initrc_var_run_t:file write;
allow nagios_t urandom_device_t:chr_file read;
allow ping_t httpd_sys_content_t:fifo_file read;
allow ping_t public_content_t:fifo_file read;
allow ping_t usr_t:fifo_file read;
allow ping_t usr_t:file { read write };
allow prelink_t httpd_sys_content_t:file read;
allow useradd_t var_log_t:file { read write };
end
If you see a way to make this better, or more secure without breaking Nagios,
let me know...
- Jaimie Livingston (jaimielives)
---
The mailing list archive is found here:
http://www.nagiosexchange.org/nagios-users.34.0.html
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
