Comments on: FC6, SELinux and Nagios http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/ Acquiring information, one day at a time. Fri, 30 Jul 2010 16:01:09 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Jason Sjobeck http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/comment-page-1/#comment-19991 Jason Sjobeck Mon, 08 Dec 2008 06:26:10 +0000 http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/#comment-19991 I wish I had something exactly like this for OTRS, which is giving me fits on my centOS 5.2 machine runing Apache 2. I am getting this error: [Sun Dec 07 22:00:56 2008] [error] [client 10.0.100.12] attempt to invoke directory as script: /opt/otrs/bin/cgi-bin/ Ut oh, sorry, I just realized that I can not tell if this from mod_suexec? or selinux? or what? I wish I had something exactly like this for OTRS, which is giving me fits on my centOS 5.2 machine runing Apache 2. I am getting this error:

[Sun Dec 07 22:00:56 2008] [error] [client 10.0.100.12] attempt to invoke directory as script: /opt/otrs/bin/cgi-bin/

Ut oh, sorry, I just realized that I can not tell if this from mod_suexec? or selinux? or what?

]]> By: r hill http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/comment-page-1/#comment-10174 r hill Wed, 09 Apr 2008 02:02:01 +0000 http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/#comment-10174 Under Fedora 7, it appears some mods must be made to the above. I had to add a couple of lines to the local policy module. Here's what I ended up with, in order to get no errors listed from setroubleshoot. Not sure if the allow ping_t var_spool_t is still needed or not: module local 1.0.0; require { class fifo_file read; class fifo_file getattr; class fifo_file write; class dir search; class process { sigkill signal }; type httpd_t; type httpd_nagios_script_t; type nagios_cgi_t; type nagios_log_t; type ping_t; type var_spool_t; role system_r; }; allow ping_t var_spool_t:fifo_file read; allow ping_t nagios_log_t:fifo_file read; allow httpd_t nagios_cgi_t:process { sigkill signal }; allow nagios_cgi_t var_spool_t:fifo_file getattr; allow nagios_cgi_t var_spool_t:dir search; allow nagios_cgi_t var_spool_t:fifo_file write; allow httpd_nagios_script_t nagios_log_t:fifo_file getattr; allow httpd_nagios_script_t nagios_log_t:fifo_file write; Under Fedora 7, it appears some mods must be made to the above. I had to add a couple of lines to the local policy module. Here’s what I ended up with, in order to get no errors listed from setroubleshoot. Not sure if the allow ping_t var_spool_t is still needed or not:
module local 1.0.0;
require {
class fifo_file read;
class fifo_file getattr;
class fifo_file write;
class dir search;
class process { sigkill signal };
type httpd_t;
type httpd_nagios_script_t;
type nagios_cgi_t;
type nagios_log_t;
type ping_t;
type var_spool_t;
role system_r;
};

allow ping_t var_spool_t:fifo_file read;
allow ping_t nagios_log_t:fifo_file read;
allow httpd_t nagios_cgi_t:process { sigkill signal };
allow nagios_cgi_t var_spool_t:fifo_file getattr;
allow nagios_cgi_t var_spool_t:dir search;
allow nagios_cgi_t var_spool_t:fifo_file write;
allow httpd_nagios_script_t nagios_log_t:fifo_file getattr;
allow httpd_nagios_script_t nagios_log_t:fifo_file write;

]]> By: Jake Lundberg http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/comment-page-1/#comment-4828 Jake Lundberg Tue, 27 Nov 2007 20:13:31 +0000 http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/#comment-4828 Thanks for the pointers. While this didn't work for me step by step, I thought I'd share my how I overcame the differences. I used the following to get the necessary classes and types: <code>cat /var/log/audit/audit.log | audit2allow >> my_nagios.te</code> SAMPLE OUTPUT: #============= httpd_nagios_script_t ============== allow httpd_nagios_script_t var_spool_t:dir search; This gave me the skeleton file that has the allows I needed to import. Make sure to look it over for anything that might actually be a violation of course and remove those lines. Then make sure to include all classes (those entries after the :'s) and types (those entries before the :'s) in the require block as shown above. I named my policy my_nagios.te because nagios was already taken and giving errors: libsepol.print_missing_requirements: nagios's global requirements were not met: type/attribute nagios_etc_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! Then I made and imported the my_nagios.pp file and now my SELinux is playing nicely with Nagios. Thanks again for the help! Thanks for the pointers. While this didn’t work for me step by step, I thought I’d share my how I overcame the differences.

I used the following to get the necessary classes and types:

cat /var/log/audit/audit.log | audit2allow &gt;&gt; my_nagios.te

SAMPLE OUTPUT:
#============= httpd_nagios_script_t ==============
allow httpd_nagios_script_t var_spool_t:dir search;

This gave me the skeleton file that has the allows I needed to import. Make sure to look it over for anything that might actually be a violation of course and remove those lines. Then make sure to include all classes (those entries after the :’s) and types (those entries before the :’s) in the require block as shown above.

I named my policy my_nagios.te because nagios was already taken and giving errors:

libsepol.print_missing_requirements: nagios’s global requirements were not met: type/attribute nagios_etc_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!

Then I made and imported the my_nagios.pp file and now my SELinux is playing nicely with Nagios.

Thanks again for the help!

]]> By: OneBigBadBoy http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/comment-page-1/#comment-4532 OneBigBadBoy Mon, 22 Oct 2007 12:29:32 +0000 http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/#comment-4532 Hi, I installed it in my CentOS5 system, via the Fedora 6 repository. Because I use lighttpd I had to configure it first. As soon as I did that it worked out of the box. Hi,

I installed it in my CentOS5 system, via the Fedora 6 repository. Because I use lighttpd I had to configure it first. As soon as I did that it worked out of the box.

]]> By: Gerwin http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/comment-page-1/#comment-4327 Gerwin Mon, 17 Sep 2007 08:11:39 +0000 http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/#comment-4327 Great! This one helped me a lot! I used it on RHEL 5 and using the EPEL nagios rpms which work flawless with your manual. Great! This one helped me a lot! I used it on RHEL 5 and using the EPEL nagios rpms which work flawless with your manual.

]]> By: Scott Russell http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/comment-page-1/#comment-795 Scott Russell Wed, 18 Apr 2007 14:34:15 +0000 http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/#comment-795 Hi, This worked great under FC6. Saved me loads of time. Many thanks for the post. Worked fine, only issue I had was creating the local.te file as root, this seemed to give a problem, so I created it as a normal user, and then did the sudo bit(I suppose it might be obvious in hind sight). Hi,
This worked great under FC6. Saved me loads of time. Many thanks for the post. Worked fine, only issue I had was creating the local.te file as root, this seemed to give a problem, so I created it as a normal user, and then did the sudo bit(I suppose it might be obvious in hind sight).

]]> By: Thom Howard http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/comment-page-1/#comment-207 Thom Howard Tue, 27 Feb 2007 04:45:10 +0000 http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/#comment-207 Thanks for the article! I was pulling my hair out trying to get nagios to run under fedora 6. I was just about to ditch selinux when I found your post. Your instructions worked flawlessly. Thanks for the article! I was pulling my hair out trying to get nagios to run under fedora 6. I was just about to ditch selinux when I found your post.

Your instructions worked flawlessly.

]]>