Nagios nrpe and sudo
Stephen Smalley
sds at tycho.nsa.gov
Tue Jan 31 12:30:43 UTC 2006
On Tue, 2006-01-31 at 07:12 -0500, Stephen Smalley wrote:
> On Mon, 2006-01-30 at 22:19 +0000, Martin Ebourne wrote:
> > Further to this, I note that I don't even need the
> > inetd_child_disable_trans boolean set now. By default nrpe running under
> > xinetd is allowed to sudo. Should this not be controlled?
> >
> > What protection does running xinetd under selinux give?
>
> IIRC, the default targeted policy in Fedora leaves inetd children who do
> not have a specific domain defined for them unconfined, as otherwise all
> external (outside of Fedora) inetd-based services that lack policy would
> immediately break. The strict policy takes the more conservative
> approach for security, at the risk of greater application breakage.
Ah, sorry, but your point was that nrpe should be confined since it has
policy. However, it appears that the nagios and nrpe policies aren't
being built as part of the Fedora policy at present.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list