NAGIOS on RHEL 5.xx and 6.xx [SELinux enforcing ]

UPDATE: tested on RHEL 5.6, 5.7, 5.8 and RHEL 6.0 and 6.2

As many others I’ve got a lot of problems making Nagios working with SE Linux in enforcing mode.

I found the included SELinux definition for both RHEL 5.xx and 6.xx are incomplete and unworkable.

With some additional info online, I was able to make it up and running::

1 SETUP:

- nagios Core 3.2.3

-monitoring services: HTTP, SMTP, FTP, PING, switch uptime, switch_port_up_down, send mail if CRITICAL service detected

- RHEL 5.5/5.4/6.0 x32 and x64

2. create custom nagios plugin

cd /etc/selinux/targeted

mkdir nagios

cd !$

vi nagios_plugin.te

module nagios_plugin 1.0;

require {
         type nagios_t;
         type nagios_log_t;
         type var_t;
         type ping_t;
         type httpd_t;
         type httpd_sys_content_t;
         type httpd_nagios_script_t;
         type procmail_t;
         type system_mail_t;
         class process { signal sigkill ptrace };
         class dir { read write search add_name remove_name };
         class file manage_file_perms;
         class fifo_file { read write create open getattr };
}

#============= httpd_nagios_script_t =================
allow httpd_nagios_script_t var_t:file { read getattr };
allow httpd_nagios_script_t var_t:fifo_file { write getattr };

#============= httpd_t ==============
allow httpd_t var_t:file { read getattr };

#============= nagios_t ==============
#allow nagios_t self:process ptrace;
allow nagios_t system_mail_t:process { signal sigkill };
allow nagios_t httpd_sys_content_t:file { write getattr };
allow nagios_t var_t:dir { read write add_name remove_name };
allow nagios_t var_t:fifo_file { read write create open getattr };
allow nagios_t var_t:file manage_file_perms;

#============= ping_t ==============
allow ping_t var_t:file { read write };

#============= procmail_t ==============
allow procmail_t nagios_log_t:dir search;

3. compile plugin (selinux-devel should be installed )

make -f /usr/share/selinux/devel/Makefile

If compilation process finished OK we’ll get a new file nagios_plugin.pp

4. setenforce 0;

4.1 load compiled plugin

semodule -i  nagios_plugin.pp

setenforce 1

Now Nagios should work in enforced mode without any problems:

 

!!!! UPDATED policy for RHEL 6.3/6.4 !!!!

module nagios_ 1.4;

require {
         type nagios_t;
         type nagios_log_t;
         type var_t;
         type ping_t;
         type httpd_t;
         type httpd_sys_content_t;
         type httpd_nagios_script_t;
         type procmail_t;
         type system_mail_t;
         type nagios_services_plugin_t;
         type postfix_local_t;
         type nagios_checkdisk_plugin_t;
         type nagios_system_plugin_t;
         class process { signal sigkill ptrace };
         class dir { read write search add_name remove_name };
         class file manage_file_perms;
         class fifo_file { read write create open getattr };
}
#============= httpd_nagios_script_t =================
allow httpd_nagios_script_t var_t:file { open read getattr };
allow httpd_nagios_script_t var_t:fifo_file { open write getattr };
#============= nagios_services_plugin_t ==============
allow nagios_services_plugin_t var_t:file { read write };
#============= httpd_t ==============
allow httpd_t var_t:file { open read getattr };
#============= nagios_t ==============
#allow nagios_t self:process ptrace;
allow nagios_t system_mail_t:process { signal sigkill };
allow nagios_t httpd_sys_content_t:file { write getattr };
allow nagios_t var_t:dir { read write add_name remove_name };
allow nagios_t var_t:fifo_file { read write create open getattr };
allow nagios_t var_t:file manage_file_perms;
#============= ping_t ==============
allow ping_t var_t:file { read write };
#============= procmail_t ==============
allow procmail_t nagios_log_t:dir search;
#============= postfix_local_t ==============
allow postfix_local_t nagios_log_t:dir search;
#============= nagios_checkdisk_plugin_t ==============
allow nagios_checkdisk_plugin_t var_t:file { open read write };
#============= nagios_system_plugin_t ==============
allow nagios_system_plugin_t var_t:file { open read write };

10 responses to “NAGIOS on RHEL 5.xx and 6.xx [SELinux enforcing ]

  1. >semodule -i nagios_plugin.pp
    libsepol.permission_copy_callback: Module nagios_plugin depends on permission open in class fifo_file, not satisfied
    libsemanage.semanage_link_sandbox: Link packages failed
    semodule: Failed!

  2. hm.. seems quite strange
    i was testing the plugin on RHEL 5.5, 5.6 and 5.7 x64
    also on RHEL 6.0 x64
    A quick google search shows it may be a possible bug in RHEL selinux-policy

    If it’s necessary i can provide a precompiled plugin :

    • open was an attribute added in rhel6, it didn’t exist in the policy in rhel5. If you use some of the macros available in the policy, you can get the access you need without worrying about whether open is available or not. For example, you can use manage_file_perms for the file entry. It has everything listed above, with a couple of things:

      serefpolicy-2.4.6/policy/support/obj_perm_sets.spt:215

      define(`manage_file_perms’,`{ create getattr setattr read write append rename link unlink ioctl lock }’)

      So replace the perms with manage_file_perms:

      require {

      class file manage_file_perms;
      }

      allow nagios_t var_t:file manage_file_perms;

      In rhel5, it doesn’t have open, but rhel6 does, because the policy was updated.

    • Can you describe what kind of problem ?

      You mean nagios is still getting errors after loading the module ?

      And what OS are you using?

      I’ve done the test on RHEL 5.5 upgraded to 5.6, 5.6 and 5.8 and RHEL 6.0 updated to 6.3 ( monitoring http/smtp/imap and 3 dell servers and 2 cisco devices )

  3. semodule -i nagios_plugin.pp
    libsepol.permission_copy_callback: Module nagios_plugin depends on permission open in class fifo_file, not satisfied
    libsemanage.semanage_link_sandbox: Link packages failed
    semodule: Failed!

    I’m runnin on centos5

  4. What I can recommend:
    1. if it’s Centos 5.0 try to upgrade to at least 5.5

    2. remove any reference to open

    allow nagios_t var_t:fifo_file { read write create getattr };
    instead of
    allow nagios_t var_t:fifo_file { read write create open getattr };

    .. and so on

    recompile the plugin and try to load it again

    I haven’t try CentOS ( the 1st version I’ve used for testing was 5.5 )

  5. I’m using v5.8..
    You are right, removing all “open” permissions helps to go though without any warnings..
    Thank you a lot :-)

  6. Pingback: Newsletter – April 2013 | GNU remotecontrol

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s