1nrpe_selinux(8) SELinux Policy nrpe nrpe_selinux(8)
2
6 nrpe_selinux - Security Enhanced Linux Policy for the nrpe processes
7
9 Security-Enhanced Linux secures the nrpe processes via flexible manda‐
10 tory access control.
11 The nrpe processes execute with the nrpe_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15 For example:
17 ps -eZ | grep nrpe_t
19
23 The nrpe_t SELinux type can be entered via the nrpe_exec_t file type.
24 The default entrypoint paths for the nrpe_t domain are the following:
26 /usr/bin/nrpe, /usr/sbin/nrpe
28
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux
36 nrpe policy is very flexible allowing users to setup their nrpe pro‐
37 cesses in as secure a method as possible.
38 The following process types are defined for nrpe:
40 nrpe_t
42 Note: semanage permissive -a nrpe_t can be used to make the process
44 type nrpe_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
50 SELinux policy is customizable based on least access required. nrpe
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run nrpe with the tightest access possible.
53 If you want to dontaudit all daemons scheduling requests (setsched,
57 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
58 Enabled by default.
59 setsebool -P daemons_dontaudit_scheduling 1
61 If you want to allow all domains to execute in fips_mode, you must turn
65 on the fips_mode boolean. Enabled by default.
66 setsebool -P fips_mode 1
68 If you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
72 you must turn on the nagios_run_sudo boolean. Disabled by default.
73 setsebool -P nagios_run_sudo 1
75 If you want to determine whether Nagios, NRPE can access nfs file sys‐
79 tems, you must turn on the nagios_use_nfs boolean. Disabled by default.
80 setsebool -P nagios_use_nfs 1
82 If you want to allow system to run with NIS, you must turn on the
86 nis_enabled boolean. Disabled by default.
87 setsebool -P nis_enabled 1
89
93 The SELinux process type nrpe_t can manage files labeled with the fol‐
94 lowing file types. The paths listed are the default paths for these
95 file types. Note the processes UID still need to have DAC permissions.
96 cluster_conf_t
98 /etc/cluster(/.*)?
100 cluster_var_lib_t
102 /var/lib/pcsd(/.*)?
104 /var/lib/cluster(/.*)?
105 /var/lib/openais(/.*)?
106 /var/lib/pengine(/.*)?
107 /var/lib/corosync(/.*)?
108 /usr/lib/heartbeat(/.*)?
109 /var/lib/heartbeat(/.*)?
110 /var/lib/pacemaker(/.*)?
111 cluster_var_run_t
113 /var/run/crm(/.*)?
115 /var/run/cman_.*
116 /var/run/rsctmp(/.*)?
117 /var/run/aisexec.*
118 /var/run/heartbeat(/.*)?
119 /var/run/pcsd-ruby.socket
120 /var/run/corosync-qnetd(/.*)?
121 /var/run/corosync-qdevice(/.*)?
122 /var/run/corosync.pid
123 /var/run/cpglockd.pid
124 /var/run/rgmanager.pid
125 /var/run/cluster/rgmanager.sk
126 faillog_t
128 /var/log/btmp.*
130 /var/log/faillog.*
131 /var/log/tallylog.*
132 /var/run/faillock(/.*)?
133 krb5_host_rcache_t
135 /var/tmp/krb5_0.rcache2
137 /var/cache/krb5rcache(/.*)?
138 /var/tmp/nfs_0
139 /var/tmp/DNS_25
140 /var/tmp/host_0
141 /var/tmp/imap_0
142 /var/tmp/HTTP_23
143 /var/tmp/HTTP_48
144 /var/tmp/ldap_55
145 /var/tmp/ldap_487
146 /var/tmp/ldapmap1_0
147 lastlog_t
149 /var/log/lastlog.*
151 nfs_t
153 nrpe_var_run_t
156 root_t
159 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
161 /
162 /initrd
163 security_t
165 /selinux
167 sudo_db_t
169 /var/db/sudo(/.*)?
171
174 SELinux requires files to have an extended attribute to define the file
175 type.
176 You can see the context of a file using the -Z option to ls
178 Policy governs the access confined processes have to these files.
180 SELinux nrpe policy is very flexible allowing users to setup their nrpe
181 processes in as secure a method as possible.
182 STANDARD FILE CONTEXT
184 SELinux defines the file context types for the nrpe, if you wanted to
186 store files with these types in a different paths, you need to execute
187 the semanage command to specify alternate labeling and then use re‐
188 storecon to put the labels on disk.
189 semanage fcontext -a -t nrpe_exec_t '/srv/nrpe/content(/.*)?'
191 restorecon -R -v /srv/mynrpe_content
192 Note: SELinux often uses regular expressions to specify labels that
194 match multiple files.
195 The following file types are defined for nrpe:
197 nrpe_etc_t
201 - Set files with the nrpe_etc_t type, if you want to store nrpe files
203 in the /etc directories.
204 nrpe_exec_t
208 - Set files with the nrpe_exec_t type, if you want to transition an ex‐
210 ecutable to the nrpe_t domain.
211 Paths:
214 /usr/bin/nrpe, /usr/sbin/nrpe
215 nrpe_var_run_t
218 - Set files with the nrpe_var_run_t type, if you want to store the nrpe
220 files under the /run or /var/run directory.
221 Note: File context can be temporarily modified with the chcon command.
225 If you want to permanently change the file context you need to use the
226 semanage fcontext command. This will modify the SELinux labeling data‐
227 base. You will need to use restorecon to apply the labels.
228
231 semanage fcontext can also be used to manipulate default file context
232 mappings.
233 semanage permissive can also be used to manipulate whether or not a
235 process type is permissive.
236 semanage module can also be used to enable/disable/install/remove pol‐
238 icy modules.
239 semanage boolean can also be used to manipulate the booleans
241 system-config-selinux is a GUI tool available to customize SELinux pol‐
244 icy settings.
245
248 This manual page was auto-generated using sepolicy manpage .
249
252 selinux(8), nrpe(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
253 setsebool(8)
254nrpe 23-10-20 nrpe_selinux(8)