1nagios_selinux(8) SELinux Policy nagios nagios_selinux(8)
2
6 nagios_selinux - Security Enhanced Linux Policy for the nagios pro‐
7 cesses
8
10 Security-Enhanced Linux secures the nagios processes via flexible
11 mandatory access control.
12 The nagios processes execute with the nagios_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep nagios_t
20
24 The nagios_t SELinux type can be entered via the nagios_exec_t file
25 type.
26 The default entrypoint paths for the nagios_t domain are the following:
28 /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga, /usr/sbin/nagios
30
32 SELinux defines process types (domains) for each process running on the
33 system
34 You can see the context of a process using the -Z option to ps
36 Policy governs the access confined processes have to files. SELinux
38 nagios policy is very flexible allowing users to setup their nagios
39 processes in as secure a method as possible.
40 The following process types are defined for nagios:
42 nagios_t, nagios_admin_plugin_t, nagios_checkdisk_plugin_t, nagios_mail_plugin_t, nagios_services_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_eventhandler_plugin_t, nagios_openshift_plugin_t, nagios_script_t
44 Note: semanage permissive -a nagios_t can be used to make the process
46 type nagios_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
52 SELinux policy is customizable based on least access required. nagios
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run nagios with the tightest access possible.
55 If you want to allow nagios run in conjunction with PNP4Nagios, you
59 must turn on the nagios_run_pnp4nagios boolean. Disabled by default.
60 setsebool -P nagios_run_pnp4nagios 1
62 If you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
66 you must turn on the nagios_run_sudo boolean. Disabled by default.
67 setsebool -P nagios_run_sudo 1
69 If you want to determine whether Nagios, NRPE can access nfs file sys‐
73 tems, you must turn on the nagios_use_nfs boolean. Disabled by default.
74 setsebool -P nagios_use_nfs 1
76 If you want to dontaudit all daemons scheduling requests (setsched,
80 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
81 Enabled by default.
82 setsebool -P daemons_dontaudit_scheduling 1
84 If you want to allow all domains to execute in fips_mode, you must turn
88 on the fips_mode boolean. Enabled by default.
89 setsebool -P fips_mode 1
91 If you want to allow system to run with NIS, you must turn on the
95 nis_enabled boolean. Disabled by default.
96 setsebool -P nis_enabled 1
98
102 The SELinux process type nagios_t can manage files labeled with the
103 following file types. The paths listed are the default paths for these
104 file types. Note the processes UID still need to have DAC permissions.
105 cluster_conf_t
107 /etc/cluster(/.*)?
109 cluster_var_lib_t
111 /var/lib/pcsd(/.*)?
113 /var/lib/cluster(/.*)?
114 /var/lib/openais(/.*)?
115 /var/lib/pengine(/.*)?
116 /var/lib/corosync(/.*)?
117 /usr/lib/heartbeat(/.*)?
118 /var/lib/heartbeat(/.*)?
119 /var/lib/pacemaker(/.*)?
120 cluster_var_run_t
122 /var/run/crm(/.*)?
124 /var/run/cman_.*
125 /var/run/rsctmp(/.*)?
126 /var/run/aisexec.*
127 /var/run/heartbeat(/.*)?
128 /var/run/pcsd-ruby.socket
129 /var/run/corosync-qnetd(/.*)?
130 /var/run/corosync-qdevice(/.*)?
131 /var/run/corosync.pid
132 /var/run/cpglockd.pid
133 /var/run/rgmanager.pid
134 /var/run/cluster/rgmanager.sk
135 faillog_t
137 /var/log/btmp.*
139 /var/log/faillog.*
140 /var/log/tallylog.*
141 /var/run/faillock(/.*)?
142 krb5_host_rcache_t
144 /var/tmp/krb5_0.rcache2
146 /var/cache/krb5rcache(/.*)?
147 /var/tmp/nfs_0
148 /var/tmp/DNS_25
149 /var/tmp/host_0
150 /var/tmp/imap_0
151 /var/tmp/HTTP_23
152 /var/tmp/HTTP_48
153 /var/tmp/ldap_55
154 /var/tmp/ldap_487
155 /var/tmp/ldapmap1_0
156 lastlog_t
158 /var/log/lastlog.*
160 nagios_log_t
162 /var/log/icinga(/.*)?
164 /var/log/nagios(/.*)?
165 /var/log/netsaint(/.*)?
166 /var/log/pnp4nagios(/.*)?
167 nagios_spool_t
169 /var/spool/icinga(/.*)?
171 /var/spool/nagios(/.*)?
172 nagios_tmp_t
174 nagios_var_lib_t
177 /usr/lib/pnp4nagios(/.*)?
179 /var/lib/pnp4nagios(/.*)?
180 nagios_var_run_t
182 /var/run/nagios.*
184 nfs_t
186 root_t
189 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
191 /
192 /initrd
193 security_t
195 /selinux
197 sudo_db_t
199 /var/db/sudo(/.*)?
201 systemd_passwd_var_run_t
203 /var/run/systemd/ask-password(/.*)?
205 /var/run/systemd/ask-password-block(/.*)?
206
209 SELinux requires files to have an extended attribute to define the file
210 type.
211 You can see the context of a file using the -Z option to ls
213 Policy governs the access confined processes have to these files.
215 SELinux nagios policy is very flexible allowing users to setup their
216 nagios processes in as secure a method as possible.
217 STANDARD FILE CONTEXT
219 SELinux defines the file context types for the nagios, if you wanted to
221 store files with these types in a different paths, you need to execute
222 the semanage command to specify alternate labeling and then use re‐
223 storecon to put the labels on disk.
224 semanage fcontext -a -t nagios_exec_t '/srv/nagios/content(/.*)?'
226 restorecon -R -v /srv/mynagios_content
227 Note: SELinux often uses regular expressions to specify labels that
229 match multiple files.
230 The following file types are defined for nagios:
232 nagios_admin_plugin_exec_t
236 - Set files with the nagios_admin_plugin_exec_t type, if you want to
238 transition an executable to the nagios_admin_plugin_t domain.
239 nagios_checkdisk_plugin_exec_t
243 - Set files with the nagios_checkdisk_plugin_exec_t type, if you want
245 to transition an executable to the nagios_checkdisk_plugin_t domain.
246 Paths:
249 /usr/lib/nagios/plugins/check_disk, /usr/lib/nagios/plug‐
250 ins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart,
251 /usr/lib/nagios/plugins/check_linux_raid
252 nagios_content_t
255 - Set files with the nagios_content_t type, if you want to treat the
257 files as nagios content.
258 nagios_etc_t
262 - Set files with the nagios_etc_t type, if you want to store nagios
264 files in the /etc directories.
265 Paths:
268 /etc/icinga(/.*)?, /etc/nagios(/.*)?, /etc/pnp4nagios(/.*)?
269 nagios_eventhandler_plugin_exec_t
272 - Set files with the nagios_eventhandler_plugin_exec_t type, if you
274 want to transition an executable to the nagios_eventhandler_plugin_t
275 domain.
276 Paths:
279 /usr/lib/icinga/plugins/eventhandlers(/.*), /usr/lib/nagios/plug‐
280 ins/eventhandlers(/.*)
281 nagios_eventhandler_plugin_tmp_t
284 - Set files with the nagios_eventhandler_plugin_tmp_t type, if you want
286 to store nagios eventhandler plugin temporary files in the /tmp direc‐
287 tories.
288 nagios_exec_t
292 - Set files with the nagios_exec_t type, if you want to transition an
294 executable to the nagios_t domain.
295 Paths:
298 /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga, /usr/sbin/na‐
299 gios
300 nagios_htaccess_t
303 - Set files with the nagios_htaccess_t type, if you want to treat the
305 file as a nagios access file.
306 nagios_initrc_exec_t
310 - Set files with the nagios_initrc_exec_t type, if you want to transi‐
312 tion an executable to the nagios_initrc_t domain.
313 Paths:
316 /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios
317 nagios_log_t
320 - Set files with the nagios_log_t type, if you want to treat the data
322 as nagios log data, usually stored under the /var/log directory.
323 Paths:
326 /var/log/icinga(/.*)?, /var/log/nagios(/.*)?, /var/log/net‐
327 saint(/.*)?, /var/log/pnp4nagios(/.*)?
328 nagios_mail_plugin_exec_t
331 - Set files with the nagios_mail_plugin_exec_t type, if you want to
333 transition an executable to the nagios_mail_plugin_t domain.
334 nagios_openshift_plugin_exec_t
338 - Set files with the nagios_openshift_plugin_exec_t type, if you want
340 to transition an executable to the nagios_openshift_plugin_t domain.
341 Paths:
344 /usr/lib64/nagios/plugins/check_node_accept_status, /usr/lib64/na‐
345 gios/plugins/check_number_openshift_apps
346 nagios_openshift_plugin_tmp_t
349 - Set files with the nagios_openshift_plugin_tmp_t type, if you want to
351 store nagios openshift plugin temporary files in the /tmp directories.
352 nagios_ra_content_t
356 - Set files with the nagios_ra_content_t type, if you want to treat the
358 files as nagios read/append content.
359 nagios_rw_content_t
363 - Set files with the nagios_rw_content_t type, if you want to treat the
365 files as nagios read/write content.
366 nagios_script_exec_t
370 - Set files with the nagios_script_exec_t type, if you want to transi‐
372 tion an executable to the nagios_script_t domain.
373 Paths:
376 /usr/lib/icinga/cgi(/.*)?, /usr/lib/nagios/cgi(/.*)?,
377 /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?,
378 /usr/lib/cgi-bin/netsaint(/.*)?
379 nagios_services_plugin_exec_t
382 - Set files with the nagios_services_plugin_exec_t type, if you want to
384 transition an executable to the nagios_services_plugin_t domain.
385 Paths:
388 /usr/lib(64)?/nagios/plugins/check_nt, /usr/lib(64)?/nagios/plug‐
389 ins/check_dig, /usr/lib(64)?/nagios/plugins/check_dns,
390 /usr/lib(64)?/nagios/plugins/check_rpc, /usr/lib(64)?/nagios/plug‐
391 ins/check_sip, /usr/lib(64)?/nagios/plugins/check_ssh,
392 /usr/lib(64)?/nagios/plugins/check_tcp, /usr/lib(64)?/nagios/plug‐
393 ins/check_ups, /usr/lib(64)?/nagios/plugins/check_dhcp,
394 /usr/lib(64)?/nagios/plugins/check_game, /usr/lib(64)?/na‐
395 gios/plugins/check_hpjd, /usr/lib(64)?/nagios/plugins/check_http,
396 /usr/lib(64)?/nagios/plugins/check_icmp, /usr/lib(64)?/na‐
397 gios/plugins/check_ircd, /usr/lib(64)?/nagios/plugins/check_ldap,
398 /usr/lib(64)?/nagios/plugins/check_nrpe, /usr/lib(64)?/na‐
399 gios/plugins/check_ping, /usr/lib(64)?/nagios/plugins/check_real,
400 /usr/lib(64)?/nagios/plugins/check_smtp, /usr/lib(64)?/na‐
401 gios/plugins/check_time, /usr/lib(64)?/nagios/plugins/check_dummy,
402 /usr/lib(64)?/nagios/plugins/check_fping, /usr/lib(64)?/na‐
403 gios/plugins/check_mysql, /usr/lib(64)?/nagios/plug‐
404 ins/check_ntp.*, /usr/lib(64)?/nagios/plugins/check_pgsql,
405 /usr/lib(64)?/nagios/plugins/check_breeze, /usr/lib(64)?/na‐
406 gios/plugins/check_oracle, /usr/lib(64)?/nagios/plugins/check_ra‐
407 dius, /usr/lib(64)?/nagios/plugins/check_snmp.*, /usr/lib(64)?/na‐
408 gios/plugins/check_cluster, /usr/lib(64)?/nagios/plug‐
409 ins/check_mysql_query
410 nagios_spool_t
413 - Set files with the nagios_spool_t type, if you want to store the na‐
415 gios files under the /var/spool directory.
416 Paths:
419 /var/spool/icinga(/.*)?, /var/spool/nagios(/.*)?
420 nagios_system_plugin_exec_t
423 - Set files with the nagios_system_plugin_exec_t type, if you want to
425 transition an executable to the nagios_system_plugin_t domain.
426 Paths:
429 /usr/lib(64)?/nagios/plugins/check_log, /usr/lib(64)?/nagios/plug‐
430 ins/check_load, /usr/lib(64)?/nagios/plugins/check_mrtg,
431 /usr/lib(64)?/nagios/plugins/check_swap, /usr/lib(64)?/na‐
432 gios/plugins/check_wave, /usr/lib(64)?/nagios/plugins/check_procs,
433 /usr/lib(64)?/nagios/plugins/check_users, /usr/lib(64)?/na‐
434 gios/plugins/check_flexlm, /usr/lib(64)?/nagios/plugins/check_na‐
435 gios, /usr/lib(64)?/nagios/plugins/check_nwstat, /usr/lib(64)?/na‐
436 gios/plugins/check_overcr, /usr/lib(64)?/nagios/plugins/check_sen‐
437 sors, /usr/lib(64)?/nagios/plugins/check_ifstatus,
438 /usr/lib(64)?/nagios/plugins/check_mrtgtraf, /usr/lib(64)?/na‐
439 gios/plugins/check_ifoperstatus
440 nagios_system_plugin_tmp_t
443 - Set files with the nagios_system_plugin_tmp_t type, if you want to
445 store nagios system plugin temporary files in the /tmp directories.
446 nagios_tmp_t
450 - Set files with the nagios_tmp_t type, if you want to store nagios
452 temporary files in the /tmp directories.
453 nagios_unconfined_plugin_exec_t
457 - Set files with the nagios_unconfined_plugin_exec_t type, if you want
459 to transition an executable to the nagios_unconfined_plugin_t domain.
460 nagios_var_lib_t
464 - Set files with the nagios_var_lib_t type, if you want to store the
466 nagios files under the /var/lib directory.
467 Paths:
470 /usr/lib/pnp4nagios(/.*)?, /var/lib/pnp4nagios(/.*)?
471 nagios_var_run_t
474 - Set files with the nagios_var_run_t type, if you want to store the
476 nagios files under the /run or /var/run directory.
477 Note: File context can be temporarily modified with the chcon command.
481 If you want to permanently change the file context you need to use the
482 semanage fcontext command. This will modify the SELinux labeling data‐
483 base. You will need to use restorecon to apply the labels.
484
487 semanage fcontext can also be used to manipulate default file context
488 mappings.
489 semanage permissive can also be used to manipulate whether or not a
491 process type is permissive.
492 semanage module can also be used to enable/disable/install/remove pol‐
494 icy modules.
495 semanage boolean can also be used to manipulate the booleans
497 system-config-selinux is a GUI tool available to customize SELinux pol‐
500 icy settings.
501
504 This manual page was auto-generated using sepolicy manpage .
505
508 selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1), sepol‐
509 icy(8), setsebool(8), nagios_admin_plugin_selinux(8), nagios_ad‐
510 min_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), na‐
511 gios_checkdisk_plugin_selinux(8), nagios_even‐
512 thandler_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), na‐
513 gios_mail_plugin_selinux(8), nagios_mail_plugin_selinux(8), na‐
514 gios_openshift_plugin_selinux(8), nagios_openshift_plugin_selinux(8),
515 nagios_script_selinux(8), nagios_script_selinux(8), nagios_ser‐
516 vices_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_sys‐
517 tem_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_uncon‐
518 fined_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
519nagios 23-10-20 nagios_selinux(8)