I took a slightly different approach to get SELinux in RHEL4 to work
with Nagios. We're predominately a Windows shop and the majority of our
system admins has no *nix experience at all, so I was looking for a way
to get them to play nice together without modifying the policy source.
What I ended up doing after beating my head against a wall for a few
days is run the following commands (explanation following each command -
locations assume nagios is installed from the Dag Wieers RPMs):
chcon -R -t httpd_sys_script_exec_t /usr/lib/nagios/cgi
(allow apache to execute the CGIs)
chcon -Rh -t httpd_sys_script_ro_t /var/log/nagios
(allow apache to read the nagios logs)
chcon -Rh -t httpd_sys_script_rw_t /var/log/nagios/rw
(allow apache to write to the external commands files)
chcon -h -t httpd_sys_script_ro_t /var/log
(allow apache to traverse /var/log so it can get to the nagios
subdirectory)
I am not overly familiar with SELinux myself, so I am sure that this
opens up additional security holes, but in my company's environment,
heavy modifications would not be understood or maintained. I'm
especially not happy with the last command, but httpd_sys_script_ro_t
was the lowest built-in permission type I could give to the /var/log
directory while still having the nagios web interface work. While it
does not change the type on the contents of /var/log, any new files or
folders will be created with the type httpd_sys_script_ro_t, so chcon -h
-t httpd_sys_script_ro_t /var/log should only be run at the very end of
the configuration process for the server.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sam
Hooker
Sent: Tuesday, March 27, 2007 3:11 PM
To: nagios-users@lists.sourceforge.net
Subject: Re: [Nagios-users] RHEL4 selinux and nagios
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SELinux is a beast, but I think it's a worthwhile thing to understand,
so I applaud your desire to make it work for you. Once you start
wrapping your brain around it, it gets easier, although I'm sure we've
only scratched the surface at my shop. My biggest complaint about the
SELinux implementation in RHEL4 is just that the
selinux-policy-targeted-sources RPM isn't included in the standard
rollout, and that can lead to a lot of head-scratching. ("I know I want
to change these policies, but can't figure out what to change...")
So, I don't know if some of these items have been discussed on this list
already, but here are some of our generic
"Nagios-on-CentOS4-with-SELinux-enabled" notes. I also disclaim any
liability for these changes having unintended consequences in your
security context (which I don't know anything about), so "Caveat
lector". Also, note that some aspects of these two issues may have been
corrected by the packagers (our Nagios installs on CentOS4/RHEL4 come
from Dag Wieers' package repositories):
1) Enabling the Web Interface
Using the nagios packages from Dag Wieers, there are a couple of tasks
that need to be completed in order to make the nagios web interface
function:
* if it is not already installed, the
selinux-policy-targeted-sources RPM must be installed in order
to allow editing of Selinux policy.
* edit the /etc/selinux/targeted/src/policy/policy.conf file and
jump to the section marked "line 172". Add the following
entries:
#line 172
allow httpd_sys_script_t var_log_t:dir search; allow
httpd_sys_script_t var_log_t:file { getattr read }; allow
httpd_sys_script_t var_log_t:file read; allow httpd_sys_script_t
var_log_t:fifo_file getattr; allow httpd_sys_script_t
var_log_t:fifo_file { getattr write };
* change the context of the /usr/lib/nagios/cgi directory to
"system_u:object_r:httpd_sys_script_exec_t"
chcon -R system_u:object_r:httpd_sys_script_exec_t /usr/lib/nagios/cgi
2) Nagios Hangs When Launched By Init
(Most of this answer was found at
http://article.gmane.org/gmane.network.nagios.user/34668, but successful
implementation required some of our own research.)
The nagios init script as provided by Dag Wieers uses 'su -l ...' to
touch a few crucial files on launch. Unfortunately, this apparently
leaves room for ambiguity where SELinux is concerned, and the SELinux
subsystem consequently needs clarification. If you're running the init
script from the command-line, it will ask, interactively:
[EMAIL PROTECTED] ~]# service nagios start
Starting network monitor: nagios
Your default context is user_u:system_r:unconfined_t.
Do you want to choose a different one? [n]
Answering this with a simple [ENTER] allows nagios to start correctly.
An unattended boot, however, leaves no room for this method of
interaction. What you'll see in these cases (apart from a Nagios server
that's not emitting any check results) is 'ps -few | grep nagios'
returning a hung "initlog" process, and possibly something like this:
root 27790 27787 0 12:32 pts/2 00:00:00 su -l nagios -c touch
/var/log/nagios/nagios.log /var/log/nagios/status.sav
The Fix
* back up the original file and make sure your backup matches the
original's SELinux context:
[EMAIL PROTECTED] init.d]# cd /etc/init.d/
[EMAIL PROTECTED] init.d]# ls -alZ *nagios*
-rwxrwxr-- root root system_u:object_r:initrc_exec_t nagios
[EMAIL PROTECTED] init.d]# cp -a nagios ORIG.nagios [EMAIL PROTECTED] init.d]#
chcon -u system_u -r object_r -t initrc_exec_t\
ORIG.nagios
[EMAIL PROTECTED] init.d]# ls -alZ *nagios*
-rwxrwxr-- root root system_u:object_r:initrc_exec_t nagios
-rwxrwxr-- root root system_u:object_r:initrc_exec_t \
ORIG.nagios
* edit the "nagios" file to replace this line:
su -l $Nagios -c "touch $NagiosVar/nagios.log $NagiosSav"
with this one:
/usr/bin/sudo -u $Nagios /bin/touch $NagiosVar/nagios.log $NagiosSav
That's all we've run into, thusfar. If you have specific questions
beyond these, I'd be happy to take a pass at them. Good luck!
Cheers,
- -sth
sam hooker|[EMAIL PROTECTED]|http://www.noiseplant.com
tail -f /var/llog/llama
> Message: 2
> Date: Tue, 27 Mar 2007 13:02:38 -0400
> From: "Onotsky, Steve x55328" <[EMAIL PROTECTED]>
> Subject: Re: [Nagios-users] RHEL4 selinux and nagios
> To: "s cinux" <[EMAIL PROTECTED]>,
<nagios-users@lists.sourceforge.net>
> Message-ID:
> <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset="windows-1252"
>
> Our current Nagios install (2.0b2) is running on an RHEL3 box. I'm
setting
> up a new instance (2.8) on RHEL4; I set SELinux to "Warn" at install
> time, so that we don't get confused trying to figure out why things
> aren't
working
> (we haven't had much need for SE before, but are starting to look at
> it now).
>
>
>
> On a somewhat-related note, if anyone is installing RHEL4 into a VM
> under VMware ESX 2.5, you've likely encountered the issue where the
> guest OS
clock
> lags behind real time, even with ntp and VM guest clock sync set up.
> The fix, as I've discovered, is to update ESX to v2.5.4 build 36502
> (three
patch
> bundles from a stock 2.5.0 install). Apparently the issue doesn't
> affect ESX 3.0+, but we haven't tested - waiting for FY08 to start so
> we can
start
> spending the budget and upgrade. :-)
>
>
>
> Just thought I'd share...
>
>
>
>
>
> Steve Onotsky
>
> Server Support Technologist
>
> ADP Investor Communications
>
> 5970 Chedworth Way
>
> Mississauga ON L5R 4G5
>
> Tel: (905) 507-5328
>
> Fax: (905) 507-5312
>
> Inet: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]
>
>
>
> Duc, sequere, aut de via decede.
>
> _____
>
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> Sent: March 27, 2007 12:53
> To: nagios-users@lists.sourceforge.net
> Subject: [Nagios-users] RHEL4 selinux and nagios
>
>
>
> Anybody go through the rigamarole of setting up nagios on a RHEL4 box
> running targeted selinux? I don't want to disable selinux just to get
> nagios up and running. If you have notes, suggestions, links,
etc...please
> post them or email me. Thanks!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGCXpkX8KByLv3aQ0RAoSOAKDbMzEyPbr65vI5xTxGnN6XQRs/YQCg2K5p
W6Wu0tBJ3IMBzeH47pWoTXA=
=QJuB
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
-
Take Surveys. Earn Cash. Influence the Future of IT Join
SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
V
_______________________________________________
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when
reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
