SELinux and Nagios (Fedora 9 + Nagios)

[Ingemar Nilsson]

dbcooper wrote:

> I've setup (via default yum repos) Nagios (nagios-2.11-3.fc9.i386 and 
> all the needed plugs).
> 
> I'm getting the following messages when using SELinux in Target/Enabled 
> mode.
> 
> My knowledge is very limited with SELinux and I'm trying to learn the 
> proper way to troubleshoot/resolve issues on my own, and hopefully I can use
> this as my firts learning curve with it.
> 
> Thanks for any suggestions.
> 
> ---------------------------------------------------------------------------------------------------------------
> Summary:
> 
> SELinux is preventing ping (ping_t) "read" to 
> /var/spool/nagios/cmd/nagios.cmd
> (nagios_spool_t).

I got that one too (on CentOS 5.1 and Nagios 2.12), but since I couldn't 
fathom why ping should be able to read the nagios.cmd file, and ping 
seemed to work anyway, I created an SELinux policy module that skipped 
writing those messages to the audit log. In other words, I piped the 
audit log message through "audit2allow -M nagiosping", which creates two 
files, nagiosping.te and nagiosping.pp.

The .te file is the policy module source file, and the .pp file is the 
binary package generated by compiling the source file. I edited the 
source file and changed the "allow" to "dontaudit", with everything else 
kept as it was. Then I compiled the module:

checkmodule -M -m -o nagiosping.mod nagiosping.te
semodule_package -m nagiosping.mod -o nagiosping.pp
rm nagiosping.mod

You need the checkpolicy package for the checkmodule command, and the 
policycoreutils package for the semodule and semodule_package commands. 
The .mod file is a temporary file, that's why I removed it. Then I 
inserted it into the kernel:

semodule -i nagiosping.pp

And tada, no more "ping can't read from nagios.cmd" messages in the 
audit log.

Regards
Ingemar