Re: [Nagios-users] RHEL4 selinux and nagios
Our current Nagios install (2.0b2) is running on an RHEL3 box. I'm setting up a new instance (2.8) on RHEL4; I set SELinux to Warn at install time, so that we don't get confused trying to figure out why things aren't working (we haven't had much need for SE before, but are starting to look at it now). On a somewhat-related note, if anyone is installing RHEL4 into a VM under VMware ESX 2.5, you've likely encountered the issue where the guest OS clock lags behind real time, even with ntp and VM guest clock sync set up. The fix, as I've discovered, is to update ESX to v2.5.4 build 36502 (three patch bundles from a stock 2.5.0 install). Apparently the issue doesn't affect ESX 3.0+, but we haven't tested - waiting for FY08 to start so we can start spending the budget and upgrade. :-) Just thought I'd share... Steve Onotsky Server Support Technologist ADP Investor Communications 5970 Chedworth Way Mississauga ON L5R 4G5 Tel: (905) 507-5328 Fax: (905) 507-5312 Inet: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Duc, sequere, aut de via decede. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: March 27, 2007 12:53 To: nagios-users@lists.sourceforge.net Subject: [Nagios-users] RHEL4 selinux and nagios Anybody go through the rigamarole of setting up nagios on a RHEL4 box running targeted selinux? I don't want to disable selinux just to get nagios up and running. If you have notes, suggestions, links, etc...please post them or email me. Thanks! _ This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] RHEL4 selinux and nagios
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SELinux is a beast, but I think it's a worthwhile thing to understand,
so I applaud your desire to make it work for you. Once you start
wrapping your brain around it, it gets easier, although I'm sure we've
only scratched the surface at my shop. My biggest complaint about the
SELinux implementation in RHEL4 is just that the
selinux-policy-targeted-sources RPM isn't included in the standard
rollout, and that can lead to a lot of head-scratching. (I know I want
to change these policies, but can't figure out what to change...)
So, I don't know if some of these items have been discussed on this list
already, but here are some of our generic
Nagios-on-CentOS4-with-SELinux-enabled notes. I also disclaim any
liability for these changes having unintended consequences in your
security context (which I don't know anything about), so Caveat
lector. Also, note that some aspects of these two issues may have been
corrected by the packagers (our Nagios installs on CentOS4/RHEL4 come
from Dag Wieers' package repositories):
1) Enabling the Web Interface
Using the nagios packages from Dag Wieers, there are a couple of tasks
that need to be completed in order to make the nagios web interface
function:
* if it is not already installed, the
selinux-policy-targeted-sources RPM must be installed in order
to allow editing of Selinux policy.
* edit the /etc/selinux/targeted/src/policy/policy.conf file and
jump to the section marked line 172. Add the following
entries:
#line 172
allow httpd_sys_script_t var_log_t:dir search;
allow httpd_sys_script_t var_log_t:file { getattr read };
allow httpd_sys_script_t var_log_t:file read;
allow httpd_sys_script_t var_log_t:fifo_file getattr;
allow httpd_sys_script_t var_log_t:fifo_file { getattr write };
* change the context of the /usr/lib/nagios/cgi directory to
system_u:object_r:httpd_sys_script_exec_t
chcon -R system_u:object_r:httpd_sys_script_exec_t /usr/lib/nagios/cgi
2) Nagios Hangs When Launched By Init
(Most of this answer was found at
http://article.gmane.org/gmane.network.nagios.user/34668, but successful
implementation required some of our own research.)
The nagios init script as provided by Dag Wieers uses 'su -l ...' to
touch a few crucial files on launch. Unfortunately, this apparently
leaves room for ambiguity where SELinux is concerned, and the SELinux
subsystem consequently needs clarification. If you're running the init
script from the command-line, it will ask, interactively:
[EMAIL PROTECTED] ~]# service nagios start
Starting network monitor: nagios
Your default context is user_u:system_r:unconfined_t.
Do you want to choose a different one? [n]
Answering this with a simple [ENTER] allows nagios to start correctly.
An unattended boot, however, leaves no room for this method of
interaction. What you'll see in these cases (apart from a Nagios server
that's not emitting any check results) is 'ps -few | grep nagios'
returning a hung initlog process, and possibly something like this:
root 27790 27787 0 12:32 pts/200:00:00 su -l nagios -c touch
/var/log/nagios/nagios.log /var/log/nagios/status.sav
The Fix
* back up the original file and make sure your backup matches the
original's SELinux context:
[EMAIL PROTECTED] init.d]# cd /etc/init.d/
[EMAIL PROTECTED] init.d]# ls -alZ *nagios*
-rwxrwxr-- root root system_u:object_r:initrc_exec_t nagios
[EMAIL PROTECTED] init.d]# cp -a nagios ORIG.nagios
[EMAIL PROTECTED] init.d]# chcon -u system_u -r object_r -t initrc_exec_t\
ORIG.nagios
[EMAIL PROTECTED] init.d]# ls -alZ *nagios*
-rwxrwxr-- root root system_u:object_r:initrc_exec_t nagios
-rwxrwxr-- root root system_u:object_r:initrc_exec_t \
ORIG.nagios
* edit the nagios file to replace this line:
su -l $Nagios -c touch $NagiosVar/nagios.log $NagiosSav
with this one:
/usr/bin/sudo -u $Nagios /bin/touch $NagiosVar/nagios.log $NagiosSav
That's all we've run into, thusfar. If you have specific questions
beyond these, I'd be happy to take a pass at them. Good luck!
Cheers,
- -sth
sam hooker|[EMAIL PROTECTED]|http://www.noiseplant.com
tail -f /var/llog/llama
Message: 2
Date: Tue, 27 Mar 2007 13:02:38 -0400
From: Onotsky, Steve x55328 [EMAIL PROTECTED]
Subject: Re: [Nagios-users] RHEL4 selinux and nagios
To: s cinux [EMAIL PROTECTED],nagios-users@lists.sourceforge.net
Message-ID:
[EMAIL PROTECTED]
Content-Type: text/plain; charset=windows-1252
Our current Nagios install (2.0b2) is running on an RHEL3 box. I'm
setting
up a new instance (2.8) on RHEL4; I set SELinux to Warn at install time,
so that we don't get confused trying to figure out why things aren't
working
(we haven't had much need for SE before, but are starting to look at it
now).
On a somewhat-related note, if anyone is installing RHEL4 into a VM under
VMware ESX 2.5, you've likely
Re: [Nagios-users] RHEL4 selinux and nagios
I took a slightly different approach to get SELinux in RHEL4 to work
with Nagios. We're predominately a Windows shop and the majority of our
system admins has no *nix experience at all, so I was looking for a way
to get them to play nice together without modifying the policy source.
What I ended up doing after beating my head against a wall for a few
days is run the following commands (explanation following each command -
locations assume nagios is installed from the Dag Wieers RPMs):
chcon -R -t httpd_sys_script_exec_t /usr/lib/nagios/cgi
(allow apache to execute the CGIs)
chcon -Rh -t httpd_sys_script_ro_t /var/log/nagios
(allow apache to read the nagios logs)
chcon -Rh -t httpd_sys_script_rw_t /var/log/nagios/rw
(allow apache to write to the external commands files)
chcon -h -t httpd_sys_script_ro_t /var/log
(allow apache to traverse /var/log so it can get to the nagios
subdirectory)
I am not overly familiar with SELinux myself, so I am sure that this
opens up additional security holes, but in my company's environment,
heavy modifications would not be understood or maintained. I'm
especially not happy with the last command, but httpd_sys_script_ro_t
was the lowest built-in permission type I could give to the /var/log
directory while still having the nagios web interface work. While it
does not change the type on the contents of /var/log, any new files or
folders will be created with the type httpd_sys_script_ro_t, so chcon -h
-t httpd_sys_script_ro_t /var/log should only be run at the very end of
the configuration process for the server.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sam
Hooker
Sent: Tuesday, March 27, 2007 3:11 PM
To: nagios-users@lists.sourceforge.net
Subject: Re: [Nagios-users] RHEL4 selinux and nagios
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SELinux is a beast, but I think it's a worthwhile thing to understand,
so I applaud your desire to make it work for you. Once you start
wrapping your brain around it, it gets easier, although I'm sure we've
only scratched the surface at my shop. My biggest complaint about the
SELinux implementation in RHEL4 is just that the
selinux-policy-targeted-sources RPM isn't included in the standard
rollout, and that can lead to a lot of head-scratching. (I know I want
to change these policies, but can't figure out what to change...)
So, I don't know if some of these items have been discussed on this list
already, but here are some of our generic
Nagios-on-CentOS4-with-SELinux-enabled notes. I also disclaim any
liability for these changes having unintended consequences in your
security context (which I don't know anything about), so Caveat
lector. Also, note that some aspects of these two issues may have been
corrected by the packagers (our Nagios installs on CentOS4/RHEL4 come
from Dag Wieers' package repositories):
1) Enabling the Web Interface
Using the nagios packages from Dag Wieers, there are a couple of tasks
that need to be completed in order to make the nagios web interface
function:
* if it is not already installed, the
selinux-policy-targeted-sources RPM must be installed in order
to allow editing of Selinux policy.
* edit the /etc/selinux/targeted/src/policy/policy.conf file and
jump to the section marked line 172. Add the following
entries:
#line 172
allow httpd_sys_script_t var_log_t:dir search; allow
httpd_sys_script_t var_log_t:file { getattr read }; allow
httpd_sys_script_t var_log_t:file read; allow httpd_sys_script_t
var_log_t:fifo_file getattr; allow httpd_sys_script_t
var_log_t:fifo_file { getattr write };
* change the context of the /usr/lib/nagios/cgi directory to
system_u:object_r:httpd_sys_script_exec_t
chcon -R system_u:object_r:httpd_sys_script_exec_t /usr/lib/nagios/cgi
2) Nagios Hangs When Launched By Init
(Most of this answer was found at
http://article.gmane.org/gmane.network.nagios.user/34668, but successful
implementation required some of our own research.)
The nagios init script as provided by Dag Wieers uses 'su -l ...' to
touch a few crucial files on launch. Unfortunately, this apparently
leaves room for ambiguity where SELinux is concerned, and the SELinux
subsystem consequently needs clarification. If you're running the init
script from the command-line, it will ask, interactively:
[EMAIL PROTECTED] ~]# service nagios start
Starting network monitor: nagios
Your default context is user_u:system_r:unconfined_t.
Do you want to choose a different one? [n]
Answering this with a simple [ENTER] allows nagios to start correctly.
An unattended boot, however, leaves no room for this method of
interaction. What you'll see in these cases (apart from a Nagios server
that's not emitting any check results) is 'ps -few | grep nagios'
returning a hung initlog process, and possibly something like this:
root 27790 27787 0 12:32 pts/200:00:00 su -l nagios -c
