UPDATE: tested on RHEL 5.6, 5.7, 5.8 and RHEL 6.0 and 6.2
As many others I’ve got a lot of problems making Nagios working with SE Linux in enforcing mode.
I found the included SELinux definition for both RHEL 5.xx and 6.xx are incomplete and unworkable.
With some additional info online, I was able to make it up and running::
1 SETUP:
– nagios Core 3.2.3
-monitoring services: HTTP, SMTP, FTP, PING, switch uptime, switch_port_up_down, send mail if CRITICAL service detected
– RHEL 5.5/5.4/6.0 x32 and x64
2. create custom nagios plugin
cd /etc/selinux/targeted
mkdir nagios
cd !$
vi nagios_plugin.te
module nagios_plugin 1.0;
require {
type nagios_t;
type nagios_log_t;
type var_t;
type ping_t;
type httpd_t;
type httpd_sys_content_t;
type httpd_nagios_script_t;
type procmail_t;
type system_mail_t;
class process { signal sigkill ptrace };
class dir { read write search add_name remove_name };
class file manage_file_perms;
class fifo_file { read write create open getattr };
}
#============= httpd_nagios_script_t =================
allow httpd_nagios_script_t var_t:file { read getattr };
allow httpd_nagios_script_t var_t:fifo_file { write getattr };
#============= httpd_t ==============
allow httpd_t var_t:file { read getattr };
#============= nagios_t ==============
#allow nagios_t self:process ptrace;
allow nagios_t system_mail_t:process { signal sigkill };
allow nagios_t httpd_sys_content_t:file { write getattr };
allow nagios_t var_t:dir { read write add_name remove_name };
allow nagios_t var_t:fifo_file { read write create open getattr };
allow nagios_t var_t:file manage_file_perms;
#============= ping_t ==============
allow ping_t var_t:file { read write };
#============= procmail_t ==============
allow procmail_t nagios_log_t:dir search;
3. compile plugin (selinux-devel should be installed )
make -f /usr/share/selinux/devel/Makefile
If compilation process finished OK we’ll get a new file nagios_plugin.pp
4. setenforce 0;
4.1 load compiled plugin
semodule -i nagios_plugin.pp
setenforce 1
Now Nagios should work in enforced mode without any problems:
!!!! UPDATED policy for RHEL 6.3/6.4 !!!!
module nagios_ 1.4;
require {
type nagios_t;
type nagios_log_t;
type var_t;
type ping_t;
type httpd_t;
type httpd_sys_content_t;
type httpd_nagios_script_t;
type procmail_t;
type system_mail_t;
type nagios_services_plugin_t;
type postfix_local_t;
type nagios_checkdisk_plugin_t;
type nagios_system_plugin_t;
class process { signal sigkill ptrace };
class dir { read write search add_name remove_name };
class file manage_file_perms;
class fifo_file { read write create open getattr };
}
#============= httpd_nagios_script_t =================
allow httpd_nagios_script_t var_t:file { open read getattr };
allow httpd_nagios_script_t var_t:fifo_file { open write getattr };
#============= nagios_services_plugin_t ==============
allow nagios_services_plugin_t var_t:file { read write };
#============= httpd_t ==============
allow httpd_t var_t:file { open read getattr };
#============= nagios_t ==============
#allow nagios_t self:process ptrace;
allow nagios_t system_mail_t:process { signal sigkill };
allow nagios_t httpd_sys_content_t:file { write getattr };
allow nagios_t var_t:dir { read write add_name remove_name };
allow nagios_t var_t:fifo_file { read write create open getattr };
allow nagios_t var_t:file manage_file_perms;
#============= ping_t ==============
allow ping_t var_t:file { read write };
#============= procmail_t ==============
allow procmail_t nagios_log_t:dir search;
#============= postfix_local_t ==============
allow postfix_local_t nagios_log_t:dir search;
#============= nagios_checkdisk_plugin_t ==============
allow nagios_checkdisk_plugin_t var_t:file { open read write };
#============= nagios_system_plugin_t ==============
allow nagios_system_plugin_t var_t:file { open read write };
>semodule -i nagios_plugin.pp
libsepol.permission_copy_callback: Module nagios_plugin depends on permission open in class fifo_file, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
hm.. seems quite strange
i was testing the plugin on RHEL 5.5, 5.6 and 5.7 x64
also on RHEL 6.0 x64
A quick google search shows it may be a possible bug in RHEL selinux-policy
If it’s necessary i can provide a precompiled plugin :
open was an attribute added in rhel6, it didn’t exist in the policy in rhel5. If you use some of the macros available in the policy, you can get the access you need without worrying about whether open is available or not. For example, you can use manage_file_perms for the file entry. It has everything listed above, with a couple of things:
serefpolicy-2.4.6/policy/support/obj_perm_sets.spt:215
define(`manage_file_perms’,`{ create getattr setattr read write append rename link unlink ioctl lock }’)
So replace the perms with manage_file_perms:
require {
…
class file manage_file_perms;
}
…
allow nagios_t var_t:file manage_file_perms;
In rhel5, it doesn’t have open, but rhel6 does, because the policy was updated.
the problem is still persist after your actualization 😦
Can you describe what kind of problem ?
You mean nagios is still getting errors after loading the module ?
And what OS are you using?
I’ve done the test on RHEL 5.5 upgraded to 5.6, 5.6 and 5.8 and RHEL 6.0 updated to 6.3 ( monitoring http/smtp/imap and 3 dell servers and 2 cisco devices )
semodule -i nagios_plugin.pp
libsepol.permission_copy_callback: Module nagios_plugin depends on permission open in class fifo_file, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
I’m runnin on centos5
What I can recommend:
1. if it’s Centos 5.0 try to upgrade to at least 5.5
2. remove any reference to open
allow nagios_t var_t:fifo_file { read write create getattr };
instead of
allow nagios_t var_t:fifo_file { read write create open getattr };
.. and so on
recompile the plugin and try to load it again
I haven’t try CentOS ( the 1st version I’ve used for testing was 5.5 )
I’m using v5.8..
You are right, removing all “open” permissions helps to go though without any warnings..
Thank you a lot 🙂
Pingback: Newsletter – April 2013 | GNU remotecontrol
Thanks for sharing your thoughts. I really appreciate your efforts and I am
waiting for your next write ups thanks once
again.
Great post!
Can you also write a post how to setup NRPE with inetd on client side with SElinux enabled (enforcing)?
Hello Marko,
My nagios server is monitoring 4 debian machines through NRPE plugin, so.. no SELINUX issues 🙂
I’ll check on my test environment to see how NRPE plugin behaves with SELINUX enabled.
Mind you, I would like to call nrpe through inetd connection. I wouldn’t like nrpe to be up’n’running the whole time as daemon. So far with no luck with SElinux enabled. Without it enabled – works fine 🙂
Hello,
I was checking on a RHEL 6.2 machine:
– nagios-nrpe && nagios-plugins-nrpe installed from rpmforge repo
– nagios-nrpe disabled as daemon and started by xinetd
I’ve got no selinux errors.
Can you provide more info ( os rhel or centos /nagios installed by rpm or manualy compiled) ?
[root@puppet nagios]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted nagios_plugin module
/usr/bin/checkmodule: loading policy configuration from tmp/nagios_plugin.tmp
nagios_plugin.te”:2:ERROR ‘Building a policy module, but no module specification found.
‘ at token ‘imodule’ on line 1029:
#line 1 “nagios_plugin.te”
imodule nagios_ 1.4;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/nagios_plugin.mod] Error 1
[root@puppet nagios]#
#line 1 “nagios_plugin.te”
imodule nagios_ 1.4; ==> please remove i from imodule
do you have this working on CentOs 7? I was able to successfully load the new policies but but the elasticsearch and logstash collector still can’t start with selinux in enforcing mode. As soon as i switch it back to permissive both of those services start up just fine automatically
Hi Kevin,
True, I have to do more tests for CentOS/RHEL7.
Hope till end of this week to have it fully functional.
++I see this issue it’s related to logstash + elastic; I’ll have to install 1st to my test system…