I took a slightly different approach to get SELinux in RHEL4 to work with Nagios. We're predominately a Windows shop and the majority of our system admins has no *nix experience at all, so I was looking for a way to get them to play nice together without modifying the policy source. What I ended up doing after beating my head against a wall for a few days is run the following commands (explanation following each command - locations assume nagios is installed from the Dag Wieers RPMs):
chcon -R -t httpd_sys_script_exec_t /usr/lib/nagios/cgi (allow apache to execute the CGIs) chcon -Rh -t httpd_sys_script_ro_t /var/log/nagios (allow apache to read the nagios logs) chcon -Rh -t httpd_sys_script_rw_t /var/log/nagios/rw (allow apache to write to the external commands files) chcon -h -t httpd_sys_script_ro_t /var/log (allow apache to traverse /var/log so it can get to the nagios subdirectory) I am not overly familiar with SELinux myself, so I am sure that this opens up additional security holes, but in my company's environment, heavy modifications would not be understood or maintained. I'm especially not happy with the last command, but httpd_sys_script_ro_t was the lowest built-in permission type I could give to the /var/log directory while still having the nagios web interface work. While it does not change the type on the contents of /var/log, any new files or folders will be created with the type httpd_sys_script_ro_t, so chcon -h -t httpd_sys_script_ro_t /var/log should only be run at the very end of the configuration process for the server. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Hooker Sent: Tuesday, March 27, 2007 3:11 PM To: nagios-users@lists.sourceforge.net Subject: Re: [Nagios-users] RHEL4 selinux and nagios -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SELinux is a beast, but I think it's a worthwhile thing to understand, so I applaud your desire to make it work for you. Once you start wrapping your brain around it, it gets easier, although I'm sure we've only scratched the surface at my shop. My biggest complaint about the SELinux implementation in RHEL4 is just that the selinux-policy-targeted-sources RPM isn't included in the standard rollout, and that can lead to a lot of head-scratching. ("I know I want to change these policies, but can't figure out what to change...") So, I don't know if some of these items have been discussed on this list already, but here are some of our generic "Nagios-on-CentOS4-with-SELinux-enabled" notes. I also disclaim any liability for these changes having unintended consequences in your security context (which I don't know anything about), so "Caveat lector". Also, note that some aspects of these two issues may have been corrected by the packagers (our Nagios installs on CentOS4/RHEL4 come from Dag Wieers' package repositories): 1) Enabling the Web Interface Using the nagios packages from Dag Wieers, there are a couple of tasks that need to be completed in order to make the nagios web interface function: * if it is not already installed, the selinux-policy-targeted-sources RPM must be installed in order to allow editing of Selinux policy. * edit the /etc/selinux/targeted/src/policy/policy.conf file and jump to the section marked "line 172". Add the following entries: #line 172 allow httpd_sys_script_t var_log_t:dir search; allow httpd_sys_script_t var_log_t:file { getattr read }; allow httpd_sys_script_t var_log_t:file read; allow httpd_sys_script_t var_log_t:fifo_file getattr; allow httpd_sys_script_t var_log_t:fifo_file { getattr write }; * change the context of the /usr/lib/nagios/cgi directory to "system_u:object_r:httpd_sys_script_exec_t" chcon -R system_u:object_r:httpd_sys_script_exec_t /usr/lib/nagios/cgi 2) Nagios Hangs When Launched By Init (Most of this answer was found at http://article.gmane.org/gmane.network.nagios.user/34668, but successful implementation required some of our own research.) The nagios init script as provided by Dag Wieers uses 'su -l ...' to touch a few crucial files on launch. Unfortunately, this apparently leaves room for ambiguity where SELinux is concerned, and the SELinux subsystem consequently needs clarification. If you're running the init script from the command-line, it will ask, interactively: [EMAIL PROTECTED] ~]# service nagios start Starting network monitor: nagios Your default context is user_u:system_r:unconfined_t. Do you want to choose a different one? [n] Answering this with a simple [ENTER] allows nagios to start correctly. An unattended boot, however, leaves no room for this method of interaction. What you'll see in these cases (apart from a Nagios server that's not emitting any check results) is 'ps -few | grep nagios' returning a hung "initlog" process, and possibly something like this: root 27790 27787 0 12:32 pts/2 00:00:00 su -l nagios -c touch /var/log/nagios/nagios.log /var/log/nagios/status.sav The Fix * back up the original file and make sure your backup matches the original's SELinux context: [EMAIL PROTECTED] init.d]# cd /etc/init.d/ [EMAIL PROTECTED] init.d]# ls -alZ *nagios* -rwxrwxr-- root root system_u:object_r:initrc_exec_t nagios [EMAIL PROTECTED] init.d]# cp -a nagios ORIG.nagios [EMAIL PROTECTED] init.d]# chcon -u system_u -r object_r -t initrc_exec_t\ ORIG.nagios [EMAIL PROTECTED] init.d]# ls -alZ *nagios* -rwxrwxr-- root root system_u:object_r:initrc_exec_t nagios -rwxrwxr-- root root system_u:object_r:initrc_exec_t \ ORIG.nagios * edit the "nagios" file to replace this line: su -l $Nagios -c "touch $NagiosVar/nagios.log $NagiosSav" with this one: /usr/bin/sudo -u $Nagios /bin/touch $NagiosVar/nagios.log $NagiosSav That's all we've run into, thusfar. If you have specific questions beyond these, I'd be happy to take a pass at them. Good luck! Cheers, - -sth sam hooker|[EMAIL PROTECTED]|http://www.noiseplant.com tail -f /var/llog/llama > Message: 2 > Date: Tue, 27 Mar 2007 13:02:38 -0400 > From: "Onotsky, Steve x55328" <[EMAIL PROTECTED]> > Subject: Re: [Nagios-users] RHEL4 selinux and nagios > To: "s cinux" <[EMAIL PROTECTED]>, <nagios-users@lists.sourceforge.net> > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="windows-1252" > > Our current Nagios install (2.0b2) is running on an RHEL3 box. I'm setting > up a new instance (2.8) on RHEL4; I set SELinux to "Warn" at install > time, so that we don't get confused trying to figure out why things > aren't working > (we haven't had much need for SE before, but are starting to look at > it now). > > > > On a somewhat-related note, if anyone is installing RHEL4 into a VM > under VMware ESX 2.5, you've likely encountered the issue where the > guest OS clock > lags behind real time, even with ntp and VM guest clock sync set up. > The fix, as I've discovered, is to update ESX to v2.5.4 build 36502 > (three patch > bundles from a stock 2.5.0 install). Apparently the issue doesn't > affect ESX 3.0+, but we haven't tested - waiting for FY08 to start so > we can start > spending the budget and upgrade. :-) > > > > Just thought I'd share... > > > > > > Steve Onotsky > > Server Support Technologist > > ADP Investor Communications > > 5970 Chedworth Way > > Mississauga ON L5R 4G5 > > Tel: (905) 507-5328 > > Fax: (905) 507-5312 > > Inet: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] > > > > Duc, sequere, aut de via decede. > > _____ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: March 27, 2007 12:53 > To: nagios-users@lists.sourceforge.net > Subject: [Nagios-users] RHEL4 selinux and nagios > > > > Anybody go through the rigamarole of setting up nagios on a RHEL4 box > running targeted selinux? I don't want to disable selinux just to get > nagios up and running. If you have notes, suggestions, links, etc...please > post them or email me. Thanks! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGCXpkX8KByLv3aQ0RAoSOAKDbMzEyPbr65vI5xTxGnN6XQRs/YQCg2K5p W6Wu0tBJ3IMBzeH47pWoTXA= =QJuB -----END PGP SIGNATURE----- ------------------------------------------------------------------------ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE V _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null