SELinux and Nagios (Fedora 9 + Nagios)
Ingemar Nilsson
init at kth.se
Tue Aug 19 08:31:32 UTC 2008
dbcooper wrote:
> I've setup (via default yum repos) Nagios (nagios-2.11-3.fc9.i386 and
> all the needed plugs).
>
> I'm getting the following messages when using SELinux in Target/Enabled
> mode.
>
> My knowledge is very limited with SELinux and I'm trying to learn the
> proper way to troubleshoot/resolve issues on my own, and hopefully I can use
> this as my firts learning curve with it.
>
> Thanks for any suggestions.
>
> ---------------------------------------------------------------------------------------------------------------
> Summary:
>
> SELinux is preventing ping (ping_t) "read" to
> /var/spool/nagios/cmd/nagios.cmd
> (nagios_spool_t).
I got that one too (on CentOS 5.1 and Nagios 2.12), but since I couldn't
fathom why ping should be able to read the nagios.cmd file, and ping
seemed to work anyway, I created an SELinux policy module that skipped
writing those messages to the audit log. In other words, I piped the
audit log message through "audit2allow -M nagiosping", which creates two
files, nagiosping.te and nagiosping.pp.
The .te file is the policy module source file, and the .pp file is the
binary package generated by compiling the source file. I edited the
source file and changed the "allow" to "dontaudit", with everything else
kept as it was. Then I compiled the module:
checkmodule -M -m -o nagiosping.mod nagiosping.te
semodule_package -m nagiosping.mod -o nagiosping.pp
rm nagiosping.mod
You need the checkpolicy package for the checkmodule command, and the
policycoreutils package for the semodule and semodule_package commands.
The .mod file is a temporary file, that's why I removed it. Then I
inserted it into the kernel:
semodule -i nagiosping.pp
And tada, no more "ping can't read from nagios.cmd" messages in the
audit log.
Regards
Ingemar
More information about the fedora-selinux-list
mailing list