1nagios_selinux(8)            SELinux Policy nagios           nagios_selinux(8)
2
3
4

NAME

6       nagios_selinux  -  Security  Enhanced  Linux Policy for the nagios pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  nagios  processes  via  flexible
11       mandatory access control.
12
13       The  nagios  processes  execute with the nagios_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep nagios_t
20
21
22

ENTRYPOINTS

24       The  nagios_t  SELinux  type  can be entered via the nagios_exec_t file
25       type.
26
27       The default entrypoint paths for the nagios_t domain are the following:
28
29       /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga, /usr/sbin/nagios
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       nagios policy is very flexible allowing users  to  setup  their  nagios
39       processes in as secure a method as possible.
40
41       The following process types are defined for nagios:
42
43       nagios_t, nagios_admin_plugin_t, nagios_checkdisk_plugin_t, nagios_mail_plugin_t, nagios_services_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_eventhandler_plugin_t, nagios_openshift_plugin_t, nagios_script_t
44
45       Note:  semanage  permissive -a nagios_t can be used to make the process
46       type nagios_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   nagios
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run nagios with the tightest access possible.
55
56
57
58       If you want to allow nagios run in  conjunction  with  PNP4Nagios,  you
59       must turn on the nagios_run_pnp4nagios boolean. Disabled by default.
60
61       setsebool -P nagios_run_pnp4nagios 1
62
63
64
65       If  you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
66       you must turn on the nagios_run_sudo boolean. Disabled by default.
67
68       setsebool -P nagios_run_sudo 1
69
70
71
72       If you want to determine whether Nagios, NRPE can access nfs file  sys‐
73       tems, you must turn on the nagios_use_nfs boolean. Disabled by default.
74
75       setsebool -P nagios_use_nfs 1
76
77
78
79       If you want to allow all domains to execute in fips_mode, you must turn
80       on the fips_mode boolean. Enabled by default.
81
82       setsebool -P fips_mode 1
83
84
85

MANAGED FILES

87       The SELinux process type nagios_t can manage  files  labeled  with  the
88       following file types.  The paths listed are the default paths for these
89       file types.  Note the processes UID still need to have DAC permissions.
90
91       cluster_conf_t
92
93            /etc/cluster(/.*)?
94
95       cluster_var_lib_t
96
97            /var/lib/pcsd(/.*)?
98            /var/lib/cluster(/.*)?
99            /var/lib/openais(/.*)?
100            /var/lib/pengine(/.*)?
101            /var/lib/corosync(/.*)?
102            /usr/lib/heartbeat(/.*)?
103            /var/lib/heartbeat(/.*)?
104            /var/lib/pacemaker(/.*)?
105
106       cluster_var_run_t
107
108            /var/run/crm(/.*)?
109            /var/run/cman_.*
110            /var/run/rsctmp(/.*)?
111            /var/run/aisexec.*
112            /var/run/heartbeat(/.*)?
113            /var/run/corosync-qnetd(/.*)?
114            /var/run/corosync-qdevice(/.*)?
115            /var/run/corosync.pid
116            /var/run/cpglockd.pid
117            /var/run/rgmanager.pid
118            /var/run/cluster/rgmanager.sk
119
120       faillog_t
121
122            /var/log/btmp.*
123            /var/log/faillog.*
124            /var/log/tallylog.*
125            /var/run/faillock(/.*)?
126
127       lastlog_t
128
129            /var/log/lastlog.*
130
131       nagios_log_t
132
133            /var/log/icinga(/.*)?
134            /var/log/nagios(/.*)?
135            /var/log/netsaint(/.*)?
136            /var/log/pnp4nagios(/.*)?
137
138       nagios_spool_t
139
140            /var/spool/icinga(/.*)?
141            /var/spool/nagios(/.*)?
142
143       nagios_var_lib_t
144
145            /usr/lib/pnp4nagios(/.*)?
146            /var/lib/pnp4nagios(/.*)?
147
148       nagios_var_run_t
149
150            /var/run/nagios.*
151
152       nfs_t
153
154
155       root_t
156
157            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
158            /
159            /initrd
160
161       security_t
162
163            /selinux
164
165       sudo_db_t
166
167            /var/db/sudo(/.*)?
168
169       systemd_passwd_var_run_t
170
171            /var/run/systemd/ask-password(/.*)?
172            /var/run/systemd/ask-password-block(/.*)?
173
174

FILE CONTEXTS

176       SELinux requires files to have an extended attribute to define the file
177       type.
178
179       You can see the context of a file using the -Z option to ls
180
181       Policy  governs  the  access  confined  processes  have to these files.
182       SELinux nagios policy is very flexible allowing users  to  setup  their
183       nagios processes in as secure a method as possible.
184
185       STANDARD FILE CONTEXT
186
187       SELinux defines the file context types for the nagios, if you wanted to
188       store files with these types in a diffent paths, you  need  to  execute
189       the  semanage  command  to  sepecify  alternate  labeling  and then use
190       restorecon to put the labels on disk.
191
192       semanage  fcontext  -a   -t   nagios_ra_content_t   '/srv/mynagios_con‐
193       tent(/.*)?'
194       restorecon -R -v /srv/mynagios_content
195
196       Note:  SELinux  often  uses  regular expressions to specify labels that
197       match multiple files.
198
199       The following file types are defined for nagios:
200
201
202
203       nagios_admin_plugin_exec_t
204
205       - Set files with the nagios_admin_plugin_exec_t type, if  you  want  to
206       transition an executable to the nagios_admin_plugin_t domain.
207
208
209
210       nagios_checkdisk_plugin_exec_t
211
212       -  Set  files with the nagios_checkdisk_plugin_exec_t type, if you want
213       to transition an executable to the nagios_checkdisk_plugin_t domain.
214
215
216       Paths:
217            /usr/lib/nagios/plugins/check_disk,          /usr/lib/nagios/plug‐
218            ins/check_disk_smb,       /usr/lib/nagios/plugins/check_ide_smart,
219            /usr/lib/nagios/plugins/check_linux_raid
220
221
222       nagios_content_t
223
224       - Set files with the nagios_content_t type, if you want  to  treat  the
225       files as nagios content.
226
227
228
229       nagios_etc_t
230
231       -  Set  files  with  the nagios_etc_t type, if you want to store nagios
232       files in the /etc directories.
233
234
235       Paths:
236            /etc/icinga(/.*)?, /etc/nagios(/.*)?, /etc/pnp4nagios(/.*)?
237
238
239       nagios_eventhandler_plugin_exec_t
240
241       - Set files with the  nagios_eventhandler_plugin_exec_t  type,  if  you
242       want  to  transition  an executable to the nagios_eventhandler_plugin_t
243       domain.
244
245
246       Paths:
247            /usr/lib/icinga/plugins/eventhandlers(/.*),  /usr/lib/nagios/plug‐
248            ins/eventhandlers(/.*)
249
250
251       nagios_eventhandler_plugin_tmp_t
252
253       - Set files with the nagios_eventhandler_plugin_tmp_t type, if you want
254       to store nagios eventhandler plugin temporary files in the /tmp  direc‐
255       tories.
256
257
258
259       nagios_exec_t
260
261       -  Set  files with the nagios_exec_t type, if you want to transition an
262       executable to the nagios_t domain.
263
264
265       Paths:
266            /usr/bin/icinga,        /usr/bin/nagios,         /usr/sbin/icinga,
267            /usr/sbin/nagios
268
269
270       nagios_htaccess_t
271
272       -  Set  files with the nagios_htaccess_t type, if you want to treat the
273       file as a nagios access file.
274
275
276
277       nagios_initrc_exec_t
278
279       - Set files with the nagios_initrc_exec_t type, if you want to  transi‐
280       tion an executable to the nagios_initrc_t domain.
281
282
283       Paths:
284            /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios
285
286
287       nagios_log_t
288
289       -  Set  files with the nagios_log_t type, if you want to treat the data
290       as nagios log data, usually stored under the /var/log directory.
291
292
293       Paths:
294            /var/log/icinga(/.*)?,    /var/log/nagios(/.*)?,     /var/log/net‐
295            saint(/.*)?, /var/log/pnp4nagios(/.*)?
296
297
298       nagios_mail_plugin_exec_t
299
300       -  Set  files  with  the nagios_mail_plugin_exec_t type, if you want to
301       transition an executable to the nagios_mail_plugin_t domain.
302
303
304
305       nagios_openshift_plugin_exec_t
306
307       - Set files with the nagios_openshift_plugin_exec_t type, if  you  want
308       to transition an executable to the nagios_openshift_plugin_t domain.
309
310
311       Paths:
312            /usr/lib64/nagios/plugins/check_node_accept_status,
313            /usr/lib64/nagios/plugins/check_number_openshift_apps
314
315
316       nagios_openshift_plugin_tmp_t
317
318       - Set files with the nagios_openshift_plugin_tmp_t type, if you want to
319       store nagios openshift plugin temporary files in the /tmp directories.
320
321
322
323       nagios_ra_content_t
324
325       - Set files with the nagios_ra_content_t type, if you want to treat the
326       files as nagios read/append content.
327
328
329
330       nagios_rw_content_t
331
332       - Set files with the nagios_rw_content_t type, if you want to treat the
333       files as nagios read/write content.
334
335
336
337       nagios_script_exec_t
338
339       -  Set files with the nagios_script_exec_t type, if you want to transi‐
340       tion an executable to the nagios_script_t domain.
341
342
343       Paths:
344            /usr/lib/icinga/cgi(/.*)?,              /usr/lib/nagios/cgi(/.*)?,
345            /usr/lib/cgi-bin/nagios(/.+)?,      /usr/lib/nagios/cgi-bin(/.*)?,
346            /usr/lib/cgi-bin/netsaint(/.*)?
347
348
349       nagios_services_plugin_exec_t
350
351       - Set files with the nagios_services_plugin_exec_t type, if you want to
352       transition an executable to the nagios_services_plugin_t domain.
353
354
355       Paths:
356            /usr/lib(64)?/nagios/plugins/check_nt,  /usr/lib(64)?/nagios/plug‐
357            ins/check_dig,             /usr/lib(64)?/nagios/plugins/check_dns,
358            /usr/lib(64)?/nagios/plugins/check_rpc, /usr/lib(64)?/nagios/plug‐
359            ins/check_sip,             /usr/lib(64)?/nagios/plugins/check_ssh,
360            /usr/lib(64)?/nagios/plugins/check_tcp, /usr/lib(64)?/nagios/plug‐
361            ins/check_ups,            /usr/lib(64)?/nagios/plugins/check_dhcp,
362            /usr/lib(64)?/nagios/plugins/check_game,
363            /usr/lib(64)?/nagios/plugins/check_hpjd,
364            /usr/lib(64)?/nagios/plugins/check_http,
365            /usr/lib(64)?/nagios/plugins/check_icmp,
366            /usr/lib(64)?/nagios/plugins/check_ircd,
367            /usr/lib(64)?/nagios/plugins/check_ldap,
368            /usr/lib(64)?/nagios/plugins/check_nrpe,
369            /usr/lib(64)?/nagios/plugins/check_ping,
370            /usr/lib(64)?/nagios/plugins/check_real,
371            /usr/lib(64)?/nagios/plugins/check_smtp,
372            /usr/lib(64)?/nagios/plugins/check_time,
373            /usr/lib(64)?/nagios/plugins/check_dummy,
374            /usr/lib(64)?/nagios/plugins/check_fping,
375            /usr/lib(64)?/nagios/plugins/check_mysql,
376            /usr/lib(64)?/nagios/plugins/check_ntp.*,
377            /usr/lib(64)?/nagios/plugins/check_pgsql,
378            /usr/lib(64)?/nagios/plugins/check_breeze,
379            /usr/lib(64)?/nagios/plugins/check_oracle,
380            /usr/lib(64)?/nagios/plugins/check_radius,
381            /usr/lib(64)?/nagios/plugins/check_snmp.*,
382            /usr/lib(64)?/nagios/plugins/check_cluster,
383            /usr/lib(64)?/nagios/plugins/check_mysql_query
384
385
386       nagios_spool_t
387
388       - Set files with the nagios_spool_t type, if  you  want  to  store  the
389       nagios files under the /var/spool directory.
390
391
392       Paths:
393            /var/spool/icinga(/.*)?, /var/spool/nagios(/.*)?
394
395
396       nagios_system_plugin_exec_t
397
398       -  Set  files with the nagios_system_plugin_exec_t type, if you want to
399       transition an executable to the nagios_system_plugin_t domain.
400
401
402       Paths:
403            /usr/lib(64)?/nagios/plugins/check_log, /usr/lib(64)?/nagios/plug‐
404            ins/check_load,           /usr/lib(64)?/nagios/plugins/check_mrtg,
405            /usr/lib(64)?/nagios/plugins/check_swap,
406            /usr/lib(64)?/nagios/plugins/check_wave,
407            /usr/lib(64)?/nagios/plugins/check_procs,
408            /usr/lib(64)?/nagios/plugins/check_users,
409            /usr/lib(64)?/nagios/plugins/check_flexlm,
410            /usr/lib(64)?/nagios/plugins/check_nagios,
411            /usr/lib(64)?/nagios/plugins/check_nwstat,
412            /usr/lib(64)?/nagios/plugins/check_overcr,
413            /usr/lib(64)?/nagios/plugins/check_sensors,
414            /usr/lib(64)?/nagios/plugins/check_ifstatus,
415            /usr/lib(64)?/nagios/plugins/check_mrtgtraf,
416            /usr/lib(64)?/nagios/plugins/check_ifoperstatus
417
418
419       nagios_system_plugin_tmp_t
420
421       -  Set  files  with the nagios_system_plugin_tmp_t type, if you want to
422       store nagios system plugin temporary files in the /tmp directories.
423
424
425
426       nagios_tmp_t
427
428       - Set files with the nagios_tmp_t type, if you  want  to  store  nagios
429       temporary files in the /tmp directories.
430
431
432
433       nagios_unconfined_plugin_exec_t
434
435       -  Set files with the nagios_unconfined_plugin_exec_t type, if you want
436       to transition an executable to the nagios_unconfined_plugin_t domain.
437
438
439
440       nagios_var_lib_t
441
442       - Set files with the nagios_var_lib_t type, if you want  to  store  the
443       nagios files under the /var/lib directory.
444
445
446       Paths:
447            /usr/lib/pnp4nagios(/.*)?, /var/lib/pnp4nagios(/.*)?
448
449
450       nagios_var_run_t
451
452       -  Set  files  with the nagios_var_run_t type, if you want to store the
453       nagios files under the /run or /var/run directory.
454
455
456
457       Note: File context can be temporarily modified with the chcon  command.
458       If  you want to permanently change the file context you need to use the
459       semanage fcontext command.  This will modify the SELinux labeling data‐
460       base.  You will need to use restorecon to apply the labels.
461
462

COMMANDS

464       semanage  fcontext  can also be used to manipulate default file context
465       mappings.
466
467       semanage permissive can also be used to manipulate  whether  or  not  a
468       process type is permissive.
469
470       semanage  module can also be used to enable/disable/install/remove pol‐
471       icy modules.
472
473       semanage boolean can also be used to manipulate the booleans
474
475
476       system-config-selinux is a GUI tool available to customize SELinux pol‐
477       icy settings.
478
479

AUTHOR

481       This manual page was auto-generated using sepolicy manpage .
482
483

SEE ALSO

485       selinux(8),  nagios(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
486       icy(8),          setsebool(8),          nagios_admin_plugin_selinux(8),
487       nagios_admin_plugin_selinux(8),     nagios_checkdisk_plugin_selinux(8),
488       nagios_checkdisk_plugin_selinux(8),           nagios_eventhandler_plug‐
489       in_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plug‐
490       in_selinux(8),  nagios_mail_plugin_selinux(8),   nagios_openshift_plug‐
491       in_selinux(8),                      nagios_openshift_plugin_selinux(8),
492       nagios_script_selinux(8),     nagios_script_selinux(8),     nagios_ser‐
493       vices_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_sys‐
494       tem_plugin_selinux(8),  nagios_system_plugin_selinux(8),  nagios_uncon‐
495       fined_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
496
497
498
499nagios                             20-05-05                  nagios_selinux(8)
Impressum