Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


nagios_selinux

Nagios 3.5.0 on CentOS

Centos 6.4 / Nagios 3.5.0

Install semanage

yum -y install policycoreutils-python-2.0.83-19.30.el6.x86_64

Create plugin

mkdir -p /etc/selinux/targeted/nagios
vi /etc/selinux/targeted/nagios/nagios_plugin.te
module nagios_plugin 1.0;

require {
         type nagios_t;
         type nagios_log_t;
         type var_t;
         type ping_t;
         type httpd_t;
         type httpd_sys_content_t;
         type httpd_nagios_script_t;
         type httpd_sys_script_t;
	 type usr_t;
         type procmail_t;
         type system_mail_t;
         class process { signal sigkill ptrace };
         class dir { read write search add_name remove_name };
         class file manage_file_perms;
         class file write;
         class fifo_file { read write create open getattr };
}

#============= httpd_nagios_script_t =================
allow httpd_nagios_script_t var_t:file { read getattr };
allow httpd_nagios_script_t var_t:fifo_file { write getattr };

#============= httpd_t ==============
allow httpd_t var_t:file { read getattr };

#============= nagios_t ==============
#allow nagios_t self:process ptrace;
allow nagios_t system_mail_t:process { signal sigkill };
allow nagios_t httpd_sys_content_t:file { write getattr };
allow nagios_t var_t:dir { read write add_name remove_name };
allow nagios_t var_t:fifo_file { read write create open getattr };
allow nagios_t var_t:file manage_file_perms;

#============= ping_t ==============
allow ping_t var_t:file { read write };
allow ping_t usr_t:file write;

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t usr_t:fifo_file { getattr write open };


#============= procmail_t ==============
allow procmail_t nagios_log_t:dir search;

Compile plugin

make -f /usr/share/selinux/devel/Makefile

Load plugin

setenforce 0
semodule -i  nagios_plugin.pp
setenforce 1
nagios_selinux.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1