Good place to start…I'll try building a base level system and start with this
and see if we can get this back in the stock RPM to help people out. I think
I'd by more likely to use selinux on my nagios boxes if I didn't have to do as
much to get it setup :)
Dan
On Mar 13, 2013, at 10:31 AM, Chris Beattie wrote:
> On 3/13/2013 9:51 AM, Jonathan Gazeley wrote:
>> The end result is a fairly permissive SELinux policy *for Nagios* but
>> still far better than not having SELinux at all.
>
> That's exactly what I did, too. If it helps you get jump started, I
> ended up with a .te file that looks like this. I don't run any of the
> popular Nagios add-ons except for Check_MK, so your mileage may vary.
>
> module mynagios 1.0;
>
> require {
> type initrc_tmp_t;
> type httpd_t;
> type httpd_sys_script_t;
> type initrc_t;
> type ping_t;
> type unlabeled_t;
> type usr_t;
> type var_lib_t;
> class association recvfrom;
> class dir { create setattr };
> class fifo_file write;
> class fifo_file getattr;
> class file execute;
> class file execute_no_trans;
> class file { read write };
> class sock_file write;
> class unix_stream_socket connectto;
> }
>
> #============= httpd_t ==============
> allow httpd_t usr_t:file execute_no_trans;
> allow httpd_t usr_t:file execute;
> allow httpd_t usr_t:fifo_file getattr;
> allow httpd_t usr_t:fifo_file write;
> allow httpd_t initrc_t:unix_stream_socket connectto;
> allow httpd_t usr_t:sock_file write;
> allow httpd_t var_lib_t:dir { create setattr };
> #============= unlabeled_t ==============
> allow unlabeled_t self:association recvfrom;
> #============= httpd_sys_script_t ==============
> allow httpd_sys_script_t usr_t:fifo_file write;
> allow httpd_sys_script_t usr_t:fifo_file getattr;
> #============= ping_t ==============
> allow ping_t initrc_tmp_t:file { read write };
> --
> -Chris
>
>
> Nothing in this message is intended to make or accept an offer or to form a
> contract, except that an attachment that is an image of a contract bearing
> the signature of an officer of our company may be or become a contract. This
> message (including any attachments) is intended only for the use of the
> individual or entity to whom it is addressed. It may contain information that
> is non-public, proprietary, privileged, confidential, and exempt from
> disclosure under applicable law or may constitute as attorney work product.
> If you are not the intended recipient, we hereby notify you that any use,
> dissemination, distribution, or copying of this message is strictly
> prohibited. If you have received this message in error, please notify us
> immediately by telephone and delete this message immediately.
>
> Thank you.
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Nagios-users mailing list
> Nagios-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting
> any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
