I love Nagios, but have been having issues with it running under SELinux targeted. I’ve finally made it work with no more AVC’s or other errors (so far!). Here is what I have done to get it to work:

  1. Install nagios.
    1. sudo yum install nagios
    2. sudo yum install 'nagios-plugins-*'
  2. Make changes to nagios configuration to account for your situation.
  3. Make certain the permissions are correct.
    1. User apache needs read access to cfg files in /etc/nagios.
    2. User apache needs read access to web site files under /usr/share/nagios/html.
    3. If using resouces.cfg, only nagios needs access to read, not apache!
    4. For the nagios.cmd fifo pipe (under /var/spool/nagios/cmd), permissions are 660, owner = nagios, group = apache.
    5. cgi files need to be executable by apache
    6. plugins need to be executable by nagios
  4. Set security contexts on files (all sone with sudo, of course)
    1. chcon -R -t httpd_sys_content_t /usr/share/nagios/html
    2. chcon -R -t nagios_etc_t /etc/nagios
    3. chcon -R -t nagios_log_t /var/log/nagios
    4. chcon -R -t var_spool_t /var/spool/nagios
    5. chcon -R -t bin_t /usr/lib/nagios/plugins
    6. chcon -t nagios_cgi_exec_t /usr/lib/nagios/cgi-bin/*.cgi
    7. /usr/sbin/nagios has a security domain type of sbin_t
  5. Apache alias is in /etc/httpd/conf.d/nagios.conf. Inspect and make changes as necessary. Restart httpd service.
  6. The check_mem plugin was not working for me, it couldn’t find utils.pm. I had to add the following line to near the top of the script:
    1. use lib "/usr/lib/nagios/plugins" ;
  7. I needed to add some local security policy. Read on for details.

There seems to be some holes in the policy for nagios. These are easily corrected with a little help from checkmodule.

First, need to install the SELinux tools to create new policies. These are not installed by default.

  1. sudo yum install checkpolicy
  2. sudo yum install selinux-policy-devel

There is a nice tool for troubleshooting policy called setroubleshoot. It is available at Dan Walsh’s yum repo. See his blog entry for details. The setools are also quite helpful at inspecting policy (although I believe you need at least version 3 to inspect policy on fc6 where version 2.4 can inspect the audit logs).

I then went through the process of running/using nagios, inspecting the audit.log and taking the appropriate lines and running them through audit2allow -M

to generate the proper policy and then load the policy module. I had to do this process a number of times to make certain I captured all the AVC’s. I ended up with the following policy module (I’ve named it local, feel free to change its name if it conflicts. If you do, you need to make a change in the file, too).

allow ping_t var_spool_t:fifo_file read;
allow httpd_t nagios_cgi_t:process { sigkill signal };
allow nagios_cgi_t var_spool_t:fifo_file getattr;
allow nagios_cgi_t var_spool_t:dir search;
allow nagios_cgi_t var_spool_t:fifo_file write;
After capturing this in the file local.te, make the policy package with:

% make -f /usr/share/selinux/devel/Makefile

This will ultimately create local.pp which then can be loaded by executing:

% sudo semodule -i local.pp

A good review of all of this can be found in the Red Hat SELinux FAQ.