nagios_selinux(8)

1nagios_selinux(8)            SELinux Policy nagios           nagios_selinux(8)
2
3
4

NAME

6       nagios_selinux  -  Security  Enhanced  Linux Policy for the nagios pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  nagios  processes  via  flexible
11       mandatory access control.
12
13       The  nagios  processes  execute with the nagios_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep nagios_t
20
21
22

ENTRYPOINTS

24       The  nagios_t  SELinux  type  can be entered via the nagios_exec_t file
25       type.
26
27       The default entrypoint paths for the nagios_t domain are the following:
28
29       /usr/s?bin/nagios
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       nagios policy is very flexible allowing users  to  setup  their  nagios
39       processes in as secure a method as possible.
40
41       The following process types are defined for nagios:
42
43       nagios_t, nagios_mail_plugin_t, nagios_checkdisk_plugin_t, nagios_services_plugin_t, nagios_eventhandler_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_admin_plugin_t
44
45       Note:  semanage  permissive -a nagios_t can be used to make the process
46       type nagios_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   nagios
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run nagios with the tightest access possible.
55
56
57
58       If you want to allow nagios/nrpe to call sudo from NRPE utils  scripts,
59       you must turn on the nagios_run_sudo boolean. Disabled by default.
60
61       setsebool -P nagios_run_sudo 1
62
63
64
65       If you want to allow all daemons to write corefiles to /, you must turn
66       on the allow_daemons_dump_core boolean. Disabled by default.
67
68       setsebool -P allow_daemons_dump_core 1
69
70
71
72       If you want to allow all daemons to use tcp wrappers, you must turn  on
73       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
74
75       setsebool -P allow_daemons_use_tcp_wrapper 1
76
77
78
79       If  you  want to allow all daemons the ability to read/write terminals,
80       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
81       default.
82
83       setsebool -P allow_daemons_use_tty 1
84
85
86
87       If you want to allow all domains to use other domains file descriptors,
88       you must turn on the allow_domain_fd_use boolean. Enabled by default.
89
90       setsebool -P allow_domain_fd_use 1
91
92
93
94       If you want to allow confined applications to run  with  kerberos,  you
95       must turn on the allow_kerberos boolean. Enabled by default.
96
97       setsebool -P allow_kerberos 1
98
99
100
101       If  you want to allow sysadm to debug or ptrace all processes, you must
102       turn on the allow_ptrace boolean. Disabled by default.
103
104       setsebool -P allow_ptrace 1
105
106
107
108       If you want to allow system to run with  NIS,  you  must  turn  on  the
109       allow_ypbind boolean. Disabled by default.
110
111       setsebool -P allow_ypbind 1
112
113
114
115       If  you  want  to enable cluster mode for daemons, you must turn on the
116       daemons_enable_cluster_mode boolean. Disabled by default.
117
118       setsebool -P daemons_enable_cluster_mode 1
119
120
121
122       If you want to allow all domains to have the kernel load  modules,  you
123       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
124       default.
125
126       setsebool -P domain_kernel_load_modules 1
127
128
129
130       If you want to allow all domains to execute in fips_mode, you must turn
131       on the fips_mode boolean. Enabled by default.
132
133       setsebool -P fips_mode 1
134
135
136
137       If you want to enable reading of urandom for all domains, you must turn
138       on the global_ssp boolean. Disabled by default.
139
140       setsebool -P global_ssp 1
141
142
143
144       If you want to enable support for upstart as the init program, you must
145       turn on the init_upstart boolean. Enabled by default.
146
147       setsebool -P init_upstart 1
148
149
150
151       If  you  want to allow confined applications to use nscd shared memory,
152       you must turn on the nscd_use_shm boolean. Enabled by default.
153
154       setsebool -P nscd_use_shm 1
155
156
157

MANAGED FILES

159       The SELinux process type nagios_t can manage  files  labeled  with  the
160       following file types.  The paths listed are the default paths for these
161       file types.  Note the processes UID still need to have DAC permissions.
162
163       cluster_conf_t
164
165            /etc/cluster(/.*)?
166
167       cluster_var_lib_t
168
169            /var/lib(64)?/openais(/.*)?
170            /var/lib(64)?/pengine(/.*)?
171            /var/lib(64)?/corosync(/.*)?
172            /usr/lib(64)?/heartbeat(/.*)?
173            /var/lib(64)?/heartbeat(/.*)?
174            /var/lib(64)?/pacemaker(/.*)?
175            /var/lib/cluster(/.*)?
176
177       cluster_var_run_t
178
179            /var/run/crm(/.*)?
180            /var/run/cman_.*
181            /var/run/rsctmp(/.*)?
182            /var/run/aisexec.*
183            /var/run/heartbeat(/.*)?
184            /var/run/cpglockd.pid
185            /var/run/corosync.pid
186            /var/run/rgmanager.pid
187            /var/run/cluster/rgmanager.sk
188
189       faillog_t
190
191            /var/log/btmp.*
192            /var/log/faillog.*
193            /var/log/tallylog.*
194            /var/run/faillock(/.*)?
195
196       initrc_tmp_t
197
198
199       lastlog_t
200
201            /var/log/lastlog.*
202
203       mnt_t
204
205            /mnt(/[^/]*)
206            /mnt(/[^/]*)?
207            /rhev(/[^/]*)?
208            /media(/[^/]*)
209            /media(/[^/]*)?
210            /etc/rhgb(/.*)?
211            /media/.hal-.*
212            /net
213            /afs
214            /rhev
215            /misc
216
217       nagios_log_t
218
219            /var/log/nagios(/.*)?
220            /var/log/netsaint(/.*)?
221            /var/log/pnp4nagios(/.*)?
222
223       nagios_spool_t
224
225            /var/spool/nagios(/.*)?
226
227       nagios_tmp_t
228
229
230       nagios_var_lib_t
231
232            /var/lib/pnp4nagios(/.*)?
233            /usr/lib/pnp4nagios(/.*)?
234
235       nagios_var_run_t
236
237            /var/run/nagios.*
238
239       root_t
240
241            /
242            /initrd
243
244       security_t
245
246
247       sudo_db_t
248
249            /var/db/sudo(/.*)?
250
251       tmp_t
252
253            /tmp
254            /usr/tmp
255            /var/tmp
256            /tmp-inst
257            /var/tmp-inst
258            /var/tmp/vi.recover
259
260

FILE CONTEXTS

262       SELinux requires files to have an extended attribute to define the file
263       type.
264
265       You can see the context of a file using the -Z option to ls
266
267       Policy  governs  the  access  confined  processes  have to these files.
268       SELinux nagios policy is very flexible allowing users  to  setup  their
269       nagios processes in as secure a method as possible.
270
271       STANDARD FILE CONTEXT
272
273       SELinux defines the file context types for the nagios, if you wanted to
274       store files with these types in a diffent paths, you  need  to  execute
275       the  semanage  command  to  sepecify  alternate  labeling  and then use
276       restorecon to put the labels on disk.
277
278       semanage fcontext -a -t nagios_var_run_t '/srv/mynagios_content(/.*)?'
279       restorecon -R -v /srv/mynagios_content
280
281       Note: SELinux often uses regular expressions  to  specify  labels  that
282       match multiple files.
283
284       The following file types are defined for nagios:
285
286
287
288       nagios_admin_plugin_exec_t
289
290       -  Set  files  with the nagios_admin_plugin_exec_t type, if you want to
291       transition an executable to the nagios_admin_plugin_t domain.
292
293
294
295       nagios_checkdisk_plugin_exec_t
296
297       - Set files with the nagios_checkdisk_plugin_exec_t type, if  you  want
298       to transition an executable to the nagios_checkdisk_plugin_t domain.
299
300
301       Paths:
302            /usr/lib(64)?/nagios/plugins/check_disk,
303            /usr/lib(64)?/nagios/plugins/check_disk_smb,
304            /usr/lib(64)?/nagios/plugins/check_ide_smart,
305            /usr/lib(64)?/nagios/plugins/check_linux_raid
306
307
308       nagios_etc_t
309
310       - Set files with the nagios_etc_t type, if you  want  to  store  nagios
311       files in the /etc directories.
312
313
314       Paths:
315            /etc/nagios(/.*)?, /etc/pnp4nagios(/.*)?
316
317
318       nagios_eventhandler_plugin_exec_t
319
320       -  Set  files  with  the nagios_eventhandler_plugin_exec_t type, if you
321       want to transition an executable  to  the  nagios_eventhandler_plugin_t
322       domain.
323
324
325
326       nagios_eventhandler_plugin_tmp_t
327
328       - Set files with the nagios_eventhandler_plugin_tmp_t type, if you want
329       to store nagios eventhandler plugin temporary files in the /tmp  direc‐
330       tories.
331
332
333
334       nagios_exec_t
335
336       -  Set  files with the nagios_exec_t type, if you want to transition an
337       executable to the nagios_t domain.
338
339
340
341       nagios_initrc_exec_t
342
343       - Set files with the nagios_initrc_exec_t type, if you want to  transi‐
344       tion an executable to the nagios_initrc_t domain.
345
346
347       Paths:
348            /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios
349
350
351       nagios_log_t
352
353       -  Set  files with the nagios_log_t type, if you want to treat the data
354       as nagios log data, usually stored under the /var/log directory.
355
356
357       Paths:
358            /var/log/nagios(/.*)?,                    /var/log/netsaint(/.*)?,
359            /var/log/pnp4nagios(/.*)?
360
361
362       nagios_mail_plugin_exec_t
363
364       -  Set  files  with  the nagios_mail_plugin_exec_t type, if you want to
365       transition an executable to the nagios_mail_plugin_t domain.
366
367
368
369       nagios_services_plugin_exec_t
370
371       - Set files with the nagios_services_plugin_exec_t type, if you want to
372       transition an executable to the nagios_services_plugin_t domain.
373
374
375       Paths:
376            /usr/lib(64)?/nagios/plugins/check_nt,  /usr/lib(64)?/nagios/plug‐
377            ins/check_dig,             /usr/lib(64)?/nagios/plugins/check_dns,
378            /usr/lib(64)?/nagios/plugins/check_rpc, /usr/lib(64)?/nagios/plug‐
379            ins/check_tcp,             /usr/lib(64)?/nagios/plugins/check_sip,
380            /usr/lib(64)?/nagios/plugins/check_ssh, /usr/lib(64)?/nagios/plug‐
381            ins/check_ups,            /usr/lib(64)?/nagios/plugins/check_dhcp,
382            /usr/lib(64)?/nagios/plugins/check_game,
383            /usr/lib(64)?/nagios/plugins/check_hpjd,
384            /usr/lib(64)?/nagios/plugins/check_http,
385            /usr/lib(64)?/nagios/plugins/check_icmp,
386            /usr/lib(64)?/nagios/plugins/check_ircd,
387            /usr/lib(64)?/nagios/plugins/check_ldap,
388            /usr/lib(64)?/nagios/plugins/check_nrpe,
389            /usr/lib(64)?/nagios/plugins/check_ping,
390            /usr/lib(64)?/nagios/plugins/check_real,
391            /usr/lib(64)?/nagios/plugins/check_time,
392            /usr/lib(64)?/nagios/plugins/check_smtp,
393            /usr/lib(64)?/nagios/plugins/check_dummy,
394            /usr/lib(64)?/nagios/plugins/check_fping,
395            /usr/lib(64)?/nagios/plugins/check_mysql,
396            /usr/lib(64)?/nagios/plugins/check_ntp.*,
397            /usr/lib(64)?/nagios/plugins/check_pgsql,
398            /usr/lib(64)?/nagios/plugins/check_breeze,
399            /usr/lib(64)?/nagios/plugins/check_oracle,
400            /usr/lib(64)?/nagios/plugins/check_radius,
401            /usr/lib(64)?/nagios/plugins/check_snmp.*,
402            /usr/lib(64)?/nagios/plugins/check_cluster,
403            /usr/lib(64)?/nagios/plugins/check_mysql_query
404
405
406       nagios_spool_t
407
408       - Set files with the nagios_spool_t type, if  you  want  to  store  the
409       nagios files under the /var/spool directory.
410
411
412
413       nagios_system_plugin_exec_t
414
415       -  Set  files with the nagios_system_plugin_exec_t type, if you want to
416       transition an executable to the nagios_system_plugin_t domain.
417
418
419       Paths:
420            /usr/lib(64)?/nagios/plugins/check_log, /usr/lib(64)?/nagios/plug‐
421            ins/check_load,           /usr/lib(64)?/nagios/plugins/check_mrtg,
422            /usr/lib(64)?/nagios/plugins/check_swap,
423            /usr/lib(64)?/nagios/plugins/check_wave,
424            /usr/lib(64)?/nagios/plugins/check_procs,
425            /usr/lib(64)?/nagios/plugins/check_users,
426            /usr/lib(64)?/nagios/plugins/check_flexlm,
427            /usr/lib(64)?/nagios/plugins/check_nagios,
428            /usr/lib(64)?/nagios/plugins/check_nwstat,
429            /usr/lib(64)?/nagios/plugins/check_overcr,
430            /usr/lib(64)?/nagios/plugins/check_sensors,
431            /usr/lib(64)?/nagios/plugins/check_ifstatus,
432            /usr/lib(64)?/nagios/plugins/check_mrtgtraf,
433            /usr/lib(64)?/nagios/plugins/check_ifoperstatus
434
435
436       nagios_system_plugin_tmp_t
437
438       -  Set  files  with the nagios_system_plugin_tmp_t type, if you want to
439       store nagios system plugin temporary files in the /tmp directories.
440
441
442
443       nagios_tmp_t
444
445       - Set files with the nagios_tmp_t type, if you  want  to  store  nagios
446       temporary files in the /tmp directories.
447
448
449
450       nagios_unconfined_plugin_exec_t
451
452       -  Set files with the nagios_unconfined_plugin_exec_t type, if you want
453       to transition an executable to the nagios_unconfined_plugin_t domain.
454
455
456
457       nagios_var_lib_t
458
459       - Set files with the nagios_var_lib_t type, if you want  to  store  the
460       nagios files under the /var/lib directory.
461
462
463       Paths:
464            /var/lib/pnp4nagios(/.*)?, /usr/lib/pnp4nagios(/.*)?
465
466
467       nagios_var_run_t
468
469       -  Set  files  with the nagios_var_run_t type, if you want to store the
470       nagios files under the /run or /var/run directory.
471
472
473
474       Note: File context can be temporarily modified with the chcon  command.
475       If  you want to permanently change the file context you need to use the
476       semanage fcontext command.  This will modify the SELinux labeling data‐
477       base.  You will need to use restorecon to apply the labels.
478
479

COMMANDS

481       semanage  fcontext  can also be used to manipulate default file context
482       mappings.
483
484       semanage permissive can also be used to manipulate  whether  or  not  a
485       process type is permissive.
486
487       semanage  module can also be used to enable/disable/install/remove pol‐
488       icy modules.
489
490       semanage boolean can also be used to manipulate the booleans
491
492
493       system-config-selinux is a GUI tool available to customize SELinux pol‐
494       icy settings.
495
496

AUTHOR

498       This manual page was auto-generated using sepolicy manpage .
499
500