1nagios_selinux(8) SELinux Policy nagios nagios_selinux(8)
2
3
4
6 nagios_selinux - Security Enhanced Linux Policy for the nagios pro‐
7 cesses
8
10 Security-Enhanced Linux secures the nagios processes via flexible
11 mandatory access control.
12
13 The nagios processes execute with the nagios_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep nagios_t
20
21
22
24 The nagios_t SELinux type can be entered via the nagios_exec_t file
25 type.
26
27 The default entrypoint paths for the nagios_t domain are the following:
28
29 /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga, /usr/sbin/nagios
30
32 SELinux defines process types (domains) for each process running on the
33 system
34
35 You can see the context of a process using the -Z option to ps
36
37 Policy governs the access confined processes have to files. SELinux
38 nagios policy is very flexible allowing users to setup their nagios
39 processes in as secure a method as possible.
40
41 The following process types are defined for nagios:
42
43 nagios_t, nagios_admin_plugin_t, nagios_checkdisk_plugin_t, nagios_mail_plugin_t, nagios_services_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_eventhandler_plugin_t, nagios_openshift_plugin_t, nagios_script_t
44
45 Note: semanage permissive -a nagios_t can be used to make the process
46 type nagios_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
50
52 SELinux policy is customizable based on least access required. nagios
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run nagios with the tightest access possible.
55
56
57
58 If you want to allow nagios run in conjunction with PNP4Nagios, you
59 must turn on the nagios_run_pnp4nagios boolean. Disabled by default.
60
61 setsebool -P nagios_run_pnp4nagios 1
62
63
64
65 If you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
66 you must turn on the nagios_run_sudo boolean. Disabled by default.
67
68 setsebool -P nagios_run_sudo 1
69
70
71
72 If you want to determine whether Nagios, NRPE can access nfs file sys‐
73 tems, you must turn on the nagios_use_nfs boolean. Disabled by default.
74
75 setsebool -P nagios_use_nfs 1
76
77
78
79 If you want to allow users to resolve user passwd entries directly from
80 ldap rather then using a sssd server, you must turn on the authlo‐
81 gin_nsswitch_use_ldap boolean. Disabled by default.
82
83 setsebool -P authlogin_nsswitch_use_ldap 1
84
85
86
87 If you want to allow all domains to execute in fips_mode, you must turn
88 on the fips_mode boolean. Enabled by default.
89
90 setsebool -P fips_mode 1
91
92
93
94 If you want to allow confined applications to run with kerberos, you
95 must turn on the kerberos_enabled boolean. Enabled by default.
96
97 setsebool -P kerberos_enabled 1
98
99
100
101 If you want to allow system to run with NIS, you must turn on the
102 nis_enabled boolean. Disabled by default.
103
104 setsebool -P nis_enabled 1
105
106
107
108 If you want to allow confined applications to use nscd shared memory,
109 you must turn on the nscd_use_shm boolean. Enabled by default.
110
111 setsebool -P nscd_use_shm 1
112
113
114
116 The SELinux process type nagios_t can manage files labeled with the
117 following file types. The paths listed are the default paths for these
118 file types. Note the processes UID still need to have DAC permissions.
119
120 cluster_conf_t
121
122 /etc/cluster(/.*)?
123
124 cluster_var_lib_t
125
126 /var/lib/pcsd(/.*)?
127 /var/lib/cluster(/.*)?
128 /var/lib/openais(/.*)?
129 /var/lib/pengine(/.*)?
130 /var/lib/corosync(/.*)?
131 /usr/lib/heartbeat(/.*)?
132 /var/lib/heartbeat(/.*)?
133 /var/lib/pacemaker(/.*)?
134
135 cluster_var_run_t
136
137 /var/run/crm(/.*)?
138 /var/run/cman_.*
139 /var/run/rsctmp(/.*)?
140 /var/run/aisexec.*
141 /var/run/heartbeat(/.*)?
142 /var/run/corosync-qnetd(/.*)?
143 /var/run/corosync-qdevice(/.*)?
144 /var/run/corosync.pid
145 /var/run/cpglockd.pid
146 /var/run/rgmanager.pid
147 /var/run/cluster/rgmanager.sk
148
149 faillog_t
150
151 /var/log/btmp.*
152 /var/log/faillog.*
153 /var/log/tallylog.*
154 /var/run/faillock(/.*)?
155
156 lastlog_t
157
158 /var/log/lastlog.*
159
160 nagios_log_t
161
162 /var/log/icinga(/.*)?
163 /var/log/nagios(/.*)?
164 /var/log/netsaint(/.*)?
165 /var/log/pnp4nagios(/.*)?
166
167 nagios_spool_t
168
169 /var/spool/icinga(/.*)?
170 /var/spool/nagios(/.*)?
171
172 nagios_tmp_t
173
174
175 nagios_var_lib_t
176
177 /usr/lib/pnp4nagios(/.*)?
178 /var/lib/pnp4nagios(/.*)?
179
180 nagios_var_run_t
181
182 /var/run/nagios.*
183
184 nfs_t
185
186
187 root_t
188
189 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
190 /
191 /initrd
192
193 security_t
194
195 /selinux
196
197 sudo_db_t
198
199 /var/db/sudo(/.*)?
200
201 systemd_passwd_var_run_t
202
203 /var/run/systemd/ask-password(/.*)?
204 /var/run/systemd/ask-password-block(/.*)?
205
206
208 SELinux requires files to have an extended attribute to define the file
209 type.
210
211 You can see the context of a file using the -Z option to ls
212
213 Policy governs the access confined processes have to these files.
214 SELinux nagios policy is very flexible allowing users to setup their
215 nagios processes in as secure a method as possible.
216
217 STANDARD FILE CONTEXT
218
219 SELinux defines the file context types for the nagios, if you wanted to
220 store files with these types in a diffent paths, you need to execute
221 the semanage command to sepecify alternate labeling and then use
222 restorecon to put the labels on disk.
223
224 semanage fcontext -a -t nagios_ra_content_t '/srv/mynagios_con‐
225 tent(/.*)?'
226 restorecon -R -v /srv/mynagios_content
227
228 Note: SELinux often uses regular expressions to specify labels that
229 match multiple files.
230
231 The following file types are defined for nagios:
232
233
234
235 nagios_admin_plugin_exec_t
236
237 - Set files with the nagios_admin_plugin_exec_t type, if you want to
238 transition an executable to the nagios_admin_plugin_t domain.
239
240
241
242 nagios_checkdisk_plugin_exec_t
243
244 - Set files with the nagios_checkdisk_plugin_exec_t type, if you want
245 to transition an executable to the nagios_checkdisk_plugin_t domain.
246
247
248 Paths:
249 /usr/lib/nagios/plugins/check_disk, /usr/lib/nagios/plug‐
250 ins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart,
251 /usr/lib/nagios/plugins/check_linux_raid
252
253
254 nagios_content_t
255
256 - Set files with the nagios_content_t type, if you want to treat the
257 files as nagios content.
258
259
260
261 nagios_etc_t
262
263 - Set files with the nagios_etc_t type, if you want to store nagios
264 files in the /etc directories.
265
266
267 Paths:
268 /etc/icinga(/.*)?, /etc/nagios(/.*)?, /etc/pnp4nagios(/.*)?
269
270
271 nagios_eventhandler_plugin_exec_t
272
273 - Set files with the nagios_eventhandler_plugin_exec_t type, if you
274 want to transition an executable to the nagios_eventhandler_plugin_t
275 domain.
276
277
278 Paths:
279 /usr/lib/icinga/plugins/eventhandlers(/.*), /usr/lib/nagios/plug‐
280 ins/eventhandlers(/.*)
281
282
283 nagios_eventhandler_plugin_tmp_t
284
285 - Set files with the nagios_eventhandler_plugin_tmp_t type, if you want
286 to store nagios eventhandler plugin temporary files in the /tmp direc‐
287 tories.
288
289
290
291 nagios_exec_t
292
293 - Set files with the nagios_exec_t type, if you want to transition an
294 executable to the nagios_t domain.
295
296
297 Paths:
298 /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga,
299 /usr/sbin/nagios
300
301
302 nagios_htaccess_t
303
304 - Set files with the nagios_htaccess_t type, if you want to treat the
305 file as a nagios access file.
306
307
308
309 nagios_initrc_exec_t
310
311 - Set files with the nagios_initrc_exec_t type, if you want to transi‐
312 tion an executable to the nagios_initrc_t domain.
313
314
315 Paths:
316 /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios
317
318
319 nagios_log_t
320
321 - Set files with the nagios_log_t type, if you want to treat the data
322 as nagios log data, usually stored under the /var/log directory.
323
324
325 Paths:
326 /var/log/icinga(/.*)?, /var/log/nagios(/.*)?, /var/log/net‐
327 saint(/.*)?, /var/log/pnp4nagios(/.*)?
328
329
330 nagios_mail_plugin_exec_t
331
332 - Set files with the nagios_mail_plugin_exec_t type, if you want to
333 transition an executable to the nagios_mail_plugin_t domain.
334
335
336
337 nagios_openshift_plugin_exec_t
338
339 - Set files with the nagios_openshift_plugin_exec_t type, if you want
340 to transition an executable to the nagios_openshift_plugin_t domain.
341
342
343 Paths:
344 /usr/lib64/nagios/plugins/check_node_accept_status,
345 /usr/lib64/nagios/plugins/check_number_openshift_apps
346
347
348 nagios_openshift_plugin_tmp_t
349
350 - Set files with the nagios_openshift_plugin_tmp_t type, if you want to
351 store nagios openshift plugin temporary files in the /tmp directories.
352
353
354
355 nagios_ra_content_t
356
357 - Set files with the nagios_ra_content_t type, if you want to treat the
358 files as nagios read/append content.
359
360
361
362 nagios_rw_content_t
363
364 - Set files with the nagios_rw_content_t type, if you want to treat the
365 files as nagios read/write content.
366
367
368
369 nagios_script_exec_t
370
371 - Set files with the nagios_script_exec_t type, if you want to transi‐
372 tion an executable to the nagios_script_t domain.
373
374
375 Paths:
376 /usr/lib/icinga/cgi(/.*)?, /usr/lib/nagios/cgi(/.*)?,
377 /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?,
378 /usr/lib/cgi-bin/netsaint(/.*)?
379
380
381 nagios_services_plugin_exec_t
382
383 - Set files with the nagios_services_plugin_exec_t type, if you want to
384 transition an executable to the nagios_services_plugin_t domain.
385
386
387 Paths:
388 /usr/lib(64)?/nagios/plugins/check_nt, /usr/lib(64)?/nagios/plug‐
389 ins/check_dig, /usr/lib(64)?/nagios/plugins/check_dns,
390 /usr/lib(64)?/nagios/plugins/check_rpc, /usr/lib(64)?/nagios/plug‐
391 ins/check_sip, /usr/lib(64)?/nagios/plugins/check_ssh,
392 /usr/lib(64)?/nagios/plugins/check_tcp, /usr/lib(64)?/nagios/plug‐
393 ins/check_ups, /usr/lib(64)?/nagios/plugins/check_dhcp,
394 /usr/lib(64)?/nagios/plugins/check_game,
395 /usr/lib(64)?/nagios/plugins/check_hpjd,
396 /usr/lib(64)?/nagios/plugins/check_http,
397 /usr/lib(64)?/nagios/plugins/check_icmp,
398 /usr/lib(64)?/nagios/plugins/check_ircd,
399 /usr/lib(64)?/nagios/plugins/check_ldap,
400 /usr/lib(64)?/nagios/plugins/check_nrpe,
401 /usr/lib(64)?/nagios/plugins/check_ping,
402 /usr/lib(64)?/nagios/plugins/check_real,
403 /usr/lib(64)?/nagios/plugins/check_smtp,
404 /usr/lib(64)?/nagios/plugins/check_time,
405 /usr/lib(64)?/nagios/plugins/check_dummy,
406 /usr/lib(64)?/nagios/plugins/check_fping,
407 /usr/lib(64)?/nagios/plugins/check_mysql,
408 /usr/lib(64)?/nagios/plugins/check_ntp.*,
409 /usr/lib(64)?/nagios/plugins/check_pgsql,
410 /usr/lib(64)?/nagios/plugins/check_breeze,
411 /usr/lib(64)?/nagios/plugins/check_oracle,
412 /usr/lib(64)?/nagios/plugins/check_radius,
413 /usr/lib(64)?/nagios/plugins/check_snmp.*,
414 /usr/lib(64)?/nagios/plugins/check_cluster,
415 /usr/lib(64)?/nagios/plugins/check_mysql_query
416
417
418 nagios_spool_t
419
420 - Set files with the nagios_spool_t type, if you want to store the
421 nagios files under the /var/spool directory.
422
423
424 Paths:
425 /var/spool/icinga(/.*)?, /var/spool/nagios(/.*)?
426
427
428 nagios_system_plugin_exec_t
429
430 - Set files with the nagios_system_plugin_exec_t type, if you want to
431 transition an executable to the nagios_system_plugin_t domain.
432
433
434 Paths:
435 /usr/lib(64)?/nagios/plugins/check_log, /usr/lib(64)?/nagios/plug‐
436 ins/check_load, /usr/lib(64)?/nagios/plugins/check_mrtg,
437 /usr/lib(64)?/nagios/plugins/check_swap,
438 /usr/lib(64)?/nagios/plugins/check_wave,
439 /usr/lib(64)?/nagios/plugins/check_procs,
440 /usr/lib(64)?/nagios/plugins/check_users,
441 /usr/lib(64)?/nagios/plugins/check_flexlm,
442 /usr/lib(64)?/nagios/plugins/check_nagios,
443 /usr/lib(64)?/nagios/plugins/check_nwstat,
444 /usr/lib(64)?/nagios/plugins/check_overcr,
445 /usr/lib(64)?/nagios/plugins/check_sensors,
446 /usr/lib(64)?/nagios/plugins/check_ifstatus,
447 /usr/lib(64)?/nagios/plugins/check_mrtgtraf,
448 /usr/lib(64)?/nagios/plugins/check_ifoperstatus
449
450
451 nagios_system_plugin_tmp_t
452
453 - Set files with the nagios_system_plugin_tmp_t type, if you want to
454 store nagios system plugin temporary files in the /tmp directories.
455
456
457
458 nagios_tmp_t
459
460 - Set files with the nagios_tmp_t type, if you want to store nagios
461 temporary files in the /tmp directories.
462
463
464
465 nagios_unconfined_plugin_exec_t
466
467 - Set files with the nagios_unconfined_plugin_exec_t type, if you want
468 to transition an executable to the nagios_unconfined_plugin_t domain.
469
470
471
472 nagios_var_lib_t
473
474 - Set files with the nagios_var_lib_t type, if you want to store the
475 nagios files under the /var/lib directory.
476
477
478 Paths:
479 /usr/lib/pnp4nagios(/.*)?, /var/lib/pnp4nagios(/.*)?
480
481
482 nagios_var_run_t
483
484 - Set files with the nagios_var_run_t type, if you want to store the
485 nagios files under the /run or /var/run directory.
486
487
488
489 Note: File context can be temporarily modified with the chcon command.
490 If you want to permanently change the file context you need to use the
491 semanage fcontext command. This will modify the SELinux labeling data‐
492 base. You will need to use restorecon to apply the labels.
493
494
496 semanage fcontext can also be used to manipulate default file context
497 mappings.
498
499 semanage permissive can also be used to manipulate whether or not a
500 process type is permissive.
501
502 semanage module can also be used to enable/disable/install/remove pol‐
503 icy modules.
504
505 semanage boolean can also be used to manipulate the booleans
506
507
508 system-config-selinux is a GUI tool available to customize SELinux pol‐
509 icy settings.
510
511
513 This manual page was auto-generated using sepolicy manpage .
514
515
517 selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1), sepol‐
518 icy(8), setsebool(8), nagios_admin_plugin_selinux(8),
519 nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8),
520 nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plug‐
521 in_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plug‐
522 in_selinux(8), nagios_mail_plugin_selinux(8), nagios_openshift_plug‐
523 in_selinux(8), nagios_openshift_plugin_selinux(8),
524 nagios_script_selinux(8), nagios_script_selinux(8), nagios_ser‐
525 vices_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_sys‐
526 tem_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_uncon‐
527 fined_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
528
529
530
531nagios 19-10-08 nagios_selinux(8)