1nagios_selinux(8) SELinux Policy nagios nagios_selinux(8)
2
6 nagios_selinux - Security Enhanced Linux Policy for the nagios pro‐
7 cesses
8
10 Security-Enhanced Linux secures the nagios processes via flexible
11 mandatory access control.
12 The nagios processes execute with the nagios_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep nagios_t
20
24 The nagios_t SELinux type can be entered via the nagios_exec_t file
25 type.
26 The default entrypoint paths for the nagios_t domain are the following:
28 /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga, /usr/sbin/nagios
30
32 SELinux defines process types (domains) for each process running on the
33 system
34 You can see the context of a process using the -Z option to ps
36 Policy governs the access confined processes have to files. SELinux
38 nagios policy is very flexible allowing users to setup their nagios
39 processes in as secure a method as possible.
40 The following process types are defined for nagios:
42 nagios_t, nagios_admin_plugin_t, nagios_checkdisk_plugin_t, nagios_mail_plugin_t, nagios_services_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_eventhandler_plugin_t, nagios_openshift_plugin_t, nagios_script_t
44 Note: semanage permissive -a nagios_t can be used to make the process
46 type nagios_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
52 SELinux policy is customizable based on least access required. nagios
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run nagios with the tightest access possible.
55 If you want to allow nagios run in conjunction with PNP4Nagios, you
59 must turn on the nagios_run_pnp4nagios boolean. Disabled by default.
60 setsebool -P nagios_run_pnp4nagios 1
62 If you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
66 you must turn on the nagios_run_sudo boolean. Disabled by default.
67 setsebool -P nagios_run_sudo 1
69 If you want to determine whether Nagios, NRPE can access nfs file sys‐
73 tems, you must turn on the nagios_use_nfs boolean. Disabled by default.
74 setsebool -P nagios_use_nfs 1
76 If you want to allow all domains to execute in fips_mode, you must turn
80 on the fips_mode boolean. Enabled by default.
81 setsebool -P fips_mode 1
83
87 The SELinux process type nagios_t can manage files labeled with the
88 following file types. The paths listed are the default paths for these
89 file types. Note the processes UID still need to have DAC permissions.
90 cluster_conf_t
92 /etc/cluster(/.*)?
94 cluster_var_lib_t
96 /var/lib/pcsd(/.*)?
98 /var/lib/cluster(/.*)?
99 /var/lib/openais(/.*)?
100 /var/lib/pengine(/.*)?
101 /var/lib/corosync(/.*)?
102 /usr/lib/heartbeat(/.*)?
103 /var/lib/heartbeat(/.*)?
104 /var/lib/pacemaker(/.*)?
105 cluster_var_run_t
107 /var/run/crm(/.*)?
109 /var/run/cman_.*
110 /var/run/rsctmp(/.*)?
111 /var/run/aisexec.*
112 /var/run/heartbeat(/.*)?
113 /var/run/corosync-qnetd(/.*)?
114 /var/run/corosync-qdevice(/.*)?
115 /var/run/corosync.pid
116 /var/run/cpglockd.pid
117 /var/run/rgmanager.pid
118 /var/run/cluster/rgmanager.sk
119 faillog_t
121 /var/log/btmp.*
123 /var/log/faillog.*
124 /var/log/tallylog.*
125 /var/run/faillock(/.*)?
126 lastlog_t
128 /var/log/lastlog.*
130 nagios_log_t
132 /var/log/icinga(/.*)?
134 /var/log/nagios(/.*)?
135 /var/log/netsaint(/.*)?
136 /var/log/pnp4nagios(/.*)?
137 nagios_spool_t
139 /var/spool/icinga(/.*)?
141 /var/spool/nagios(/.*)?
142 nagios_var_lib_t
144 /usr/lib/pnp4nagios(/.*)?
146 /var/lib/pnp4nagios(/.*)?
147 nagios_var_run_t
149 /var/run/nagios.*
151 nfs_t
153 root_t
156 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
158 /
159 /initrd
160 security_t
162 /selinux
164 sudo_db_t
166 /var/db/sudo(/.*)?
168 systemd_passwd_var_run_t
170 /var/run/systemd/ask-password(/.*)?
172 /var/run/systemd/ask-password-block(/.*)?
173
176 SELinux requires files to have an extended attribute to define the file
177 type.
178 You can see the context of a file using the -Z option to ls
180 Policy governs the access confined processes have to these files.
182 SELinux nagios policy is very flexible allowing users to setup their
183 nagios processes in as secure a method as possible.
184 STANDARD FILE CONTEXT
186 SELinux defines the file context types for the nagios, if you wanted to
188 store files with these types in a diffent paths, you need to execute
189 the semanage command to sepecify alternate labeling and then use
190 restorecon to put the labels on disk.
191 semanage fcontext -a -t nagios_ra_content_t '/srv/mynagios_con‐
193 tent(/.*)?'
194 restorecon -R -v /srv/mynagios_content
195 Note: SELinux often uses regular expressions to specify labels that
197 match multiple files.
198 The following file types are defined for nagios:
200 nagios_admin_plugin_exec_t
204 - Set files with the nagios_admin_plugin_exec_t type, if you want to
206 transition an executable to the nagios_admin_plugin_t domain.
207 nagios_checkdisk_plugin_exec_t
211 - Set files with the nagios_checkdisk_plugin_exec_t type, if you want
213 to transition an executable to the nagios_checkdisk_plugin_t domain.
214 Paths:
217 /usr/lib/nagios/plugins/check_disk, /usr/lib/nagios/plug‐
218 ins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart,
219 /usr/lib/nagios/plugins/check_linux_raid
220 nagios_content_t
223 - Set files with the nagios_content_t type, if you want to treat the
225 files as nagios content.
226 nagios_etc_t
230 - Set files with the nagios_etc_t type, if you want to store nagios
232 files in the /etc directories.
233 Paths:
236 /etc/icinga(/.*)?, /etc/nagios(/.*)?, /etc/pnp4nagios(/.*)?
237 nagios_eventhandler_plugin_exec_t
240 - Set files with the nagios_eventhandler_plugin_exec_t type, if you
242 want to transition an executable to the nagios_eventhandler_plugin_t
243 domain.
244 Paths:
247 /usr/lib/icinga/plugins/eventhandlers(/.*), /usr/lib/nagios/plug‐
248 ins/eventhandlers(/.*)
249 nagios_eventhandler_plugin_tmp_t
252 - Set files with the nagios_eventhandler_plugin_tmp_t type, if you want
254 to store nagios eventhandler plugin temporary files in the /tmp direc‐
255 tories.
256 nagios_exec_t
260 - Set files with the nagios_exec_t type, if you want to transition an
262 executable to the nagios_t domain.
263 Paths:
266 /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga,
267 /usr/sbin/nagios
268 nagios_htaccess_t
271 - Set files with the nagios_htaccess_t type, if you want to treat the
273 file as a nagios access file.
274 nagios_initrc_exec_t
278 - Set files with the nagios_initrc_exec_t type, if you want to transi‐
280 tion an executable to the nagios_initrc_t domain.
281 Paths:
284 /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios
285 nagios_log_t
288 - Set files with the nagios_log_t type, if you want to treat the data
290 as nagios log data, usually stored under the /var/log directory.
291 Paths:
294 /var/log/icinga(/.*)?, /var/log/nagios(/.*)?, /var/log/net‐
295 saint(/.*)?, /var/log/pnp4nagios(/.*)?
296 nagios_mail_plugin_exec_t
299 - Set files with the nagios_mail_plugin_exec_t type, if you want to
301 transition an executable to the nagios_mail_plugin_t domain.
302 nagios_openshift_plugin_exec_t
306 - Set files with the nagios_openshift_plugin_exec_t type, if you want
308 to transition an executable to the nagios_openshift_plugin_t domain.
309 Paths:
312 /usr/lib64/nagios/plugins/check_node_accept_status,
313 /usr/lib64/nagios/plugins/check_number_openshift_apps
314 nagios_openshift_plugin_tmp_t
317 - Set files with the nagios_openshift_plugin_tmp_t type, if you want to
319 store nagios openshift plugin temporary files in the /tmp directories.
320 nagios_ra_content_t
324 - Set files with the nagios_ra_content_t type, if you want to treat the
326 files as nagios read/append content.
327 nagios_rw_content_t
331 - Set files with the nagios_rw_content_t type, if you want to treat the
333 files as nagios read/write content.
334 nagios_script_exec_t
338 - Set files with the nagios_script_exec_t type, if you want to transi‐
340 tion an executable to the nagios_script_t domain.
341 Paths:
344 /usr/lib/icinga/cgi(/.*)?, /usr/lib/nagios/cgi(/.*)?,
345 /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?,
346 /usr/lib/cgi-bin/netsaint(/.*)?
347 nagios_services_plugin_exec_t
350 - Set files with the nagios_services_plugin_exec_t type, if you want to
352 transition an executable to the nagios_services_plugin_t domain.
353 Paths:
356 /usr/lib(64)?/nagios/plugins/check_nt, /usr/lib(64)?/nagios/plug‐
357 ins/check_dig, /usr/lib(64)?/nagios/plugins/check_dns,
358 /usr/lib(64)?/nagios/plugins/check_rpc, /usr/lib(64)?/nagios/plug‐
359 ins/check_sip, /usr/lib(64)?/nagios/plugins/check_ssh,
360 /usr/lib(64)?/nagios/plugins/check_tcp, /usr/lib(64)?/nagios/plug‐
361 ins/check_ups, /usr/lib(64)?/nagios/plugins/check_dhcp,
362 /usr/lib(64)?/nagios/plugins/check_game,
363 /usr/lib(64)?/nagios/plugins/check_hpjd,
364 /usr/lib(64)?/nagios/plugins/check_http,
365 /usr/lib(64)?/nagios/plugins/check_icmp,
366 /usr/lib(64)?/nagios/plugins/check_ircd,
367 /usr/lib(64)?/nagios/plugins/check_ldap,
368 /usr/lib(64)?/nagios/plugins/check_nrpe,
369 /usr/lib(64)?/nagios/plugins/check_ping,
370 /usr/lib(64)?/nagios/plugins/check_real,
371 /usr/lib(64)?/nagios/plugins/check_smtp,
372 /usr/lib(64)?/nagios/plugins/check_time,
373 /usr/lib(64)?/nagios/plugins/check_dummy,
374 /usr/lib(64)?/nagios/plugins/check_fping,
375 /usr/lib(64)?/nagios/plugins/check_mysql,
376 /usr/lib(64)?/nagios/plugins/check_ntp.*,
377 /usr/lib(64)?/nagios/plugins/check_pgsql,
378 /usr/lib(64)?/nagios/plugins/check_breeze,
379 /usr/lib(64)?/nagios/plugins/check_oracle,
380 /usr/lib(64)?/nagios/plugins/check_radius,
381 /usr/lib(64)?/nagios/plugins/check_snmp.*,
382 /usr/lib(64)?/nagios/plugins/check_cluster,
383 /usr/lib(64)?/nagios/plugins/check_mysql_query
384 nagios_spool_t
387 - Set files with the nagios_spool_t type, if you want to store the
389 nagios files under the /var/spool directory.
390 Paths:
393 /var/spool/icinga(/.*)?, /var/spool/nagios(/.*)?
394 nagios_system_plugin_exec_t
397 - Set files with the nagios_system_plugin_exec_t type, if you want to
399 transition an executable to the nagios_system_plugin_t domain.
400 Paths:
403 /usr/lib(64)?/nagios/plugins/check_log, /usr/lib(64)?/nagios/plug‐
404 ins/check_load, /usr/lib(64)?/nagios/plugins/check_mrtg,
405 /usr/lib(64)?/nagios/plugins/check_swap,
406 /usr/lib(64)?/nagios/plugins/check_wave,
407 /usr/lib(64)?/nagios/plugins/check_procs,
408 /usr/lib(64)?/nagios/plugins/check_users,
409 /usr/lib(64)?/nagios/plugins/check_flexlm,
410 /usr/lib(64)?/nagios/plugins/check_nagios,
411 /usr/lib(64)?/nagios/plugins/check_nwstat,
412 /usr/lib(64)?/nagios/plugins/check_overcr,
413 /usr/lib(64)?/nagios/plugins/check_sensors,
414 /usr/lib(64)?/nagios/plugins/check_ifstatus,
415 /usr/lib(64)?/nagios/plugins/check_mrtgtraf,
416 /usr/lib(64)?/nagios/plugins/check_ifoperstatus
417 nagios_system_plugin_tmp_t
420 - Set files with the nagios_system_plugin_tmp_t type, if you want to
422 store nagios system plugin temporary files in the /tmp directories.
423 nagios_tmp_t
427 - Set files with the nagios_tmp_t type, if you want to store nagios
429 temporary files in the /tmp directories.
430 nagios_unconfined_plugin_exec_t
434 - Set files with the nagios_unconfined_plugin_exec_t type, if you want
436 to transition an executable to the nagios_unconfined_plugin_t domain.
437 nagios_var_lib_t
441 - Set files with the nagios_var_lib_t type, if you want to store the
443 nagios files under the /var/lib directory.
444 Paths:
447 /usr/lib/pnp4nagios(/.*)?, /var/lib/pnp4nagios(/.*)?
448 nagios_var_run_t
451 - Set files with the nagios_var_run_t type, if you want to store the
453 nagios files under the /run or /var/run directory.
454 Note: File context can be temporarily modified with the chcon command.
458 If you want to permanently change the file context you need to use the
459 semanage fcontext command. This will modify the SELinux labeling data‐
460 base. You will need to use restorecon to apply the labels.
461
464 semanage fcontext can also be used to manipulate default file context
465 mappings.
466 semanage permissive can also be used to manipulate whether or not a
468 process type is permissive.
469 semanage module can also be used to enable/disable/install/remove pol‐
471 icy modules.
472 semanage boolean can also be used to manipulate the booleans
474 system-config-selinux is a GUI tool available to customize SELinux pol‐
477 icy settings.
478
481 This manual page was auto-generated using sepolicy manpage .
482
485 selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1), sepol‐
486 icy(8), setsebool(8), nagios_admin_plugin_selinux(8),
487 nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8),
488 nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plug‐
489 in_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plug‐
490 in_selinux(8), nagios_mail_plugin_selinux(8), nagios_openshift_plug‐
491 in_selinux(8), nagios_openshift_plugin_selinux(8),
492 nagios_script_selinux(8), nagios_script_selinux(8), nagios_ser‐
493 vices_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_sys‐
494 tem_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_uncon‐
495 fined_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
496nagios 20-05-05 nagios_selinux(8)