1nagios_selinux(8) SELinux Policy nagios nagios_selinux(8)
2
3
4
6 nagios_selinux - Security Enhanced Linux Policy for the nagios pro‐
7 cesses
8
10 Security-Enhanced Linux secures the nagios processes via flexible
11 mandatory access control.
12
13 The nagios processes execute with the nagios_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep nagios_t
20
21
22
24 The nagios_t SELinux type can be entered via the nagios_exec_t file
25 type.
26
27 The default entrypoint paths for the nagios_t domain are the following:
28
29 /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga, /usr/sbin/nagios
30
32 SELinux defines process types (domains) for each process running on the
33 system
34
35 You can see the context of a process using the -Z option to ps
36
37 Policy governs the access confined processes have to files. SELinux
38 nagios policy is very flexible allowing users to setup their nagios
39 processes in as secure a method as possible.
40
41 The following process types are defined for nagios:
42
43 nagios_t, nagios_admin_plugin_t, nagios_checkdisk_plugin_t, nagios_mail_plugin_t, nagios_services_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_eventhandler_plugin_t, nagios_openshift_plugin_t, nagios_script_t
44
45 Note: semanage permissive -a nagios_t can be used to make the process
46 type nagios_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
50
52 SELinux policy is customizable based on least access required. nagios
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run nagios with the tightest access possible.
55
56
57
58 If you want to allow nagios run in conjunction with PNP4Nagios, you
59 must turn on the nagios_run_pnp4nagios boolean. Disabled by default.
60
61 setsebool -P nagios_run_pnp4nagios 1
62
63
64
65 If you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
66 you must turn on the nagios_run_sudo boolean. Disabled by default.
67
68 setsebool -P nagios_run_sudo 1
69
70
71
72 If you want to determine whether Nagios, NRPE can access nfs file sys‐
73 tems, you must turn on the nagios_use_nfs boolean. Disabled by default.
74
75 setsebool -P nagios_use_nfs 1
76
77
78
79 If you want to allow all domains to execute in fips_mode, you must turn
80 on the fips_mode boolean. Enabled by default.
81
82 setsebool -P fips_mode 1
83
84
85
87 The SELinux process type nagios_t can manage files labeled with the
88 following file types. The paths listed are the default paths for these
89 file types. Note the processes UID still need to have DAC permissions.
90
91 cluster_conf_t
92
93 /etc/cluster(/.*)?
94
95 cluster_var_lib_t
96
97 /var/lib/pcsd(/.*)?
98 /var/lib/cluster(/.*)?
99 /var/lib/openais(/.*)?
100 /var/lib/pengine(/.*)?
101 /var/lib/corosync(/.*)?
102 /usr/lib/heartbeat(/.*)?
103 /var/lib/heartbeat(/.*)?
104 /var/lib/pacemaker(/.*)?
105
106 cluster_var_run_t
107
108 /var/run/crm(/.*)?
109 /var/run/cman_.*
110 /var/run/rsctmp(/.*)?
111 /var/run/aisexec.*
112 /var/run/heartbeat(/.*)?
113 /var/run/pcsd-ruby.socket
114 /var/run/corosync-qnetd(/.*)?
115 /var/run/corosync-qdevice(/.*)?
116 /var/run/corosync.pid
117 /var/run/cpglockd.pid
118 /var/run/rgmanager.pid
119 /var/run/cluster/rgmanager.sk
120
121 faillog_t
122
123 /var/log/btmp.*
124 /var/log/faillog.*
125 /var/log/tallylog.*
126 /var/run/faillock(/.*)?
127
128 krb5_host_rcache_t
129
130 /var/tmp/krb5_0.rcache2
131 /var/cache/krb5rcache(/.*)?
132 /var/tmp/nfs_0
133 /var/tmp/DNS_25
134 /var/tmp/host_0
135 /var/tmp/imap_0
136 /var/tmp/HTTP_23
137 /var/tmp/HTTP_48
138 /var/tmp/ldap_55
139 /var/tmp/ldap_487
140 /var/tmp/ldapmap1_0
141
142 lastlog_t
143
144 /var/log/lastlog.*
145
146 nagios_log_t
147
148 /var/log/icinga(/.*)?
149 /var/log/nagios(/.*)?
150 /var/log/netsaint(/.*)?
151 /var/log/pnp4nagios(/.*)?
152
153 nagios_spool_t
154
155 /var/spool/icinga(/.*)?
156 /var/spool/nagios(/.*)?
157
158 nagios_tmp_t
159
160
161 nagios_var_lib_t
162
163 /usr/lib/pnp4nagios(/.*)?
164 /var/lib/pnp4nagios(/.*)?
165
166 nagios_var_run_t
167
168 /var/run/nagios.*
169
170 nfs_t
171
172
173 root_t
174
175 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
176 /
177 /initrd
178
179 security_t
180
181 /selinux
182
183 sudo_db_t
184
185 /var/db/sudo(/.*)?
186
187 systemd_passwd_var_run_t
188
189 /var/run/systemd/ask-password(/.*)?
190 /var/run/systemd/ask-password-block(/.*)?
191
192
194 SELinux requires files to have an extended attribute to define the file
195 type.
196
197 You can see the context of a file using the -Z option to ls
198
199 Policy governs the access confined processes have to these files.
200 SELinux nagios policy is very flexible allowing users to setup their
201 nagios processes in as secure a method as possible.
202
203 STANDARD FILE CONTEXT
204
205 SELinux defines the file context types for the nagios, if you wanted to
206 store files with these types in a diffent paths, you need to execute
207 the semanage command to specify alternate labeling and then use re‐
208 storecon to put the labels on disk.
209
210 semanage fcontext -a -t nagios_ra_content_t '/srv/mynagios_con‐
211 tent(/.*)?'
212 restorecon -R -v /srv/mynagios_content
213
214 Note: SELinux often uses regular expressions to specify labels that
215 match multiple files.
216
217 The following file types are defined for nagios:
218
219
220
221 nagios_admin_plugin_exec_t
222
223 - Set files with the nagios_admin_plugin_exec_t type, if you want to
224 transition an executable to the nagios_admin_plugin_t domain.
225
226
227
228 nagios_checkdisk_plugin_exec_t
229
230 - Set files with the nagios_checkdisk_plugin_exec_t type, if you want
231 to transition an executable to the nagios_checkdisk_plugin_t domain.
232
233
234 Paths:
235 /usr/lib/nagios/plugins/check_disk, /usr/lib/nagios/plug‐
236 ins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart,
237 /usr/lib/nagios/plugins/check_linux_raid
238
239
240 nagios_content_t
241
242 - Set files with the nagios_content_t type, if you want to treat the
243 files as nagios content.
244
245
246
247 nagios_etc_t
248
249 - Set files with the nagios_etc_t type, if you want to store nagios
250 files in the /etc directories.
251
252
253 Paths:
254 /etc/icinga(/.*)?, /etc/nagios(/.*)?, /etc/pnp4nagios(/.*)?
255
256
257 nagios_eventhandler_plugin_exec_t
258
259 - Set files with the nagios_eventhandler_plugin_exec_t type, if you
260 want to transition an executable to the nagios_eventhandler_plugin_t
261 domain.
262
263
264 Paths:
265 /usr/lib/icinga/plugins/eventhandlers(/.*), /usr/lib/nagios/plug‐
266 ins/eventhandlers(/.*)
267
268
269 nagios_eventhandler_plugin_tmp_t
270
271 - Set files with the nagios_eventhandler_plugin_tmp_t type, if you want
272 to store nagios eventhandler plugin temporary files in the /tmp direc‐
273 tories.
274
275
276
277 nagios_exec_t
278
279 - Set files with the nagios_exec_t type, if you want to transition an
280 executable to the nagios_t domain.
281
282
283 Paths:
284 /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga, /usr/sbin/na‐
285 gios
286
287
288 nagios_htaccess_t
289
290 - Set files with the nagios_htaccess_t type, if you want to treat the
291 file as a nagios access file.
292
293
294
295 nagios_initrc_exec_t
296
297 - Set files with the nagios_initrc_exec_t type, if you want to transi‐
298 tion an executable to the nagios_initrc_t domain.
299
300
301 Paths:
302 /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios
303
304
305 nagios_log_t
306
307 - Set files with the nagios_log_t type, if you want to treat the data
308 as nagios log data, usually stored under the /var/log directory.
309
310
311 Paths:
312 /var/log/icinga(/.*)?, /var/log/nagios(/.*)?, /var/log/net‐
313 saint(/.*)?, /var/log/pnp4nagios(/.*)?
314
315
316 nagios_mail_plugin_exec_t
317
318 - Set files with the nagios_mail_plugin_exec_t type, if you want to
319 transition an executable to the nagios_mail_plugin_t domain.
320
321
322
323 nagios_openshift_plugin_exec_t
324
325 - Set files with the nagios_openshift_plugin_exec_t type, if you want
326 to transition an executable to the nagios_openshift_plugin_t domain.
327
328
329 Paths:
330 /usr/lib64/nagios/plugins/check_node_accept_status, /usr/lib64/na‐
331 gios/plugins/check_number_openshift_apps
332
333
334 nagios_openshift_plugin_tmp_t
335
336 - Set files with the nagios_openshift_plugin_tmp_t type, if you want to
337 store nagios openshift plugin temporary files in the /tmp directories.
338
339
340
341 nagios_ra_content_t
342
343 - Set files with the nagios_ra_content_t type, if you want to treat the
344 files as nagios read/append content.
345
346
347
348 nagios_rw_content_t
349
350 - Set files with the nagios_rw_content_t type, if you want to treat the
351 files as nagios read/write content.
352
353
354
355 nagios_script_exec_t
356
357 - Set files with the nagios_script_exec_t type, if you want to transi‐
358 tion an executable to the nagios_script_t domain.
359
360
361 Paths:
362 /usr/lib/icinga/cgi(/.*)?, /usr/lib/nagios/cgi(/.*)?,
363 /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?,
364 /usr/lib/cgi-bin/netsaint(/.*)?
365
366
367 nagios_services_plugin_exec_t
368
369 - Set files with the nagios_services_plugin_exec_t type, if you want to
370 transition an executable to the nagios_services_plugin_t domain.
371
372
373 Paths:
374 /usr/lib(64)?/nagios/plugins/check_nt, /usr/lib(64)?/nagios/plug‐
375 ins/check_dig, /usr/lib(64)?/nagios/plugins/check_dns,
376 /usr/lib(64)?/nagios/plugins/check_rpc, /usr/lib(64)?/nagios/plug‐
377 ins/check_sip, /usr/lib(64)?/nagios/plugins/check_ssh,
378 /usr/lib(64)?/nagios/plugins/check_tcp, /usr/lib(64)?/nagios/plug‐
379 ins/check_ups, /usr/lib(64)?/nagios/plugins/check_dhcp,
380 /usr/lib(64)?/nagios/plugins/check_game, /usr/lib(64)?/na‐
381 gios/plugins/check_hpjd, /usr/lib(64)?/nagios/plugins/check_http,
382 /usr/lib(64)?/nagios/plugins/check_icmp, /usr/lib(64)?/na‐
383 gios/plugins/check_ircd, /usr/lib(64)?/nagios/plugins/check_ldap,
384 /usr/lib(64)?/nagios/plugins/check_nrpe, /usr/lib(64)?/na‐
385 gios/plugins/check_ping, /usr/lib(64)?/nagios/plugins/check_real,
386 /usr/lib(64)?/nagios/plugins/check_smtp, /usr/lib(64)?/na‐
387 gios/plugins/check_time, /usr/lib(64)?/nagios/plugins/check_dummy,
388 /usr/lib(64)?/nagios/plugins/check_fping, /usr/lib(64)?/na‐
389 gios/plugins/check_mysql, /usr/lib(64)?/nagios/plug‐
390 ins/check_ntp.*, /usr/lib(64)?/nagios/plugins/check_pgsql,
391 /usr/lib(64)?/nagios/plugins/check_breeze, /usr/lib(64)?/na‐
392 gios/plugins/check_oracle, /usr/lib(64)?/nagios/plugins/check_ra‐
393 dius, /usr/lib(64)?/nagios/plugins/check_snmp.*, /usr/lib(64)?/na‐
394 gios/plugins/check_cluster, /usr/lib(64)?/nagios/plug‐
395 ins/check_mysql_query
396
397
398 nagios_spool_t
399
400 - Set files with the nagios_spool_t type, if you want to store the na‐
401 gios files under the /var/spool directory.
402
403
404 Paths:
405 /var/spool/icinga(/.*)?, /var/spool/nagios(/.*)?
406
407
408 nagios_system_plugin_exec_t
409
410 - Set files with the nagios_system_plugin_exec_t type, if you want to
411 transition an executable to the nagios_system_plugin_t domain.
412
413
414 Paths:
415 /usr/lib(64)?/nagios/plugins/check_log, /usr/lib(64)?/nagios/plug‐
416 ins/check_load, /usr/lib(64)?/nagios/plugins/check_mrtg,
417 /usr/lib(64)?/nagios/plugins/check_swap, /usr/lib(64)?/na‐
418 gios/plugins/check_wave, /usr/lib(64)?/nagios/plugins/check_procs,
419 /usr/lib(64)?/nagios/plugins/check_users, /usr/lib(64)?/na‐
420 gios/plugins/check_flexlm, /usr/lib(64)?/nagios/plugins/check_na‐
421 gios, /usr/lib(64)?/nagios/plugins/check_nwstat, /usr/lib(64)?/na‐
422 gios/plugins/check_overcr, /usr/lib(64)?/nagios/plugins/check_sen‐
423 sors, /usr/lib(64)?/nagios/plugins/check_ifstatus,
424 /usr/lib(64)?/nagios/plugins/check_mrtgtraf, /usr/lib(64)?/na‐
425 gios/plugins/check_ifoperstatus
426
427
428 nagios_system_plugin_tmp_t
429
430 - Set files with the nagios_system_plugin_tmp_t type, if you want to
431 store nagios system plugin temporary files in the /tmp directories.
432
433
434
435 nagios_tmp_t
436
437 - Set files with the nagios_tmp_t type, if you want to store nagios
438 temporary files in the /tmp directories.
439
440
441
442 nagios_unconfined_plugin_exec_t
443
444 - Set files with the nagios_unconfined_plugin_exec_t type, if you want
445 to transition an executable to the nagios_unconfined_plugin_t domain.
446
447
448
449 nagios_var_lib_t
450
451 - Set files with the nagios_var_lib_t type, if you want to store the
452 nagios files under the /var/lib directory.
453
454
455 Paths:
456 /usr/lib/pnp4nagios(/.*)?, /var/lib/pnp4nagios(/.*)?
457
458
459 nagios_var_run_t
460
461 - Set files with the nagios_var_run_t type, if you want to store the
462 nagios files under the /run or /var/run directory.
463
464
465
466 Note: File context can be temporarily modified with the chcon command.
467 If you want to permanently change the file context you need to use the
468 semanage fcontext command. This will modify the SELinux labeling data‐
469 base. You will need to use restorecon to apply the labels.
470
471
473 semanage fcontext can also be used to manipulate default file context
474 mappings.
475
476 semanage permissive can also be used to manipulate whether or not a
477 process type is permissive.
478
479 semanage module can also be used to enable/disable/install/remove pol‐
480 icy modules.
481
482 semanage boolean can also be used to manipulate the booleans
483
484
485 system-config-selinux is a GUI tool available to customize SELinux pol‐
486 icy settings.
487
488
490 This manual page was auto-generated using sepolicy manpage .
491
492
494 selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1), sepol‐
495 icy(8), setsebool(8), nagios_admin_plugin_selinux(8), nagios_ad‐
496 min_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), na‐
497 gios_checkdisk_plugin_selinux(8), nagios_even‐
498 thandler_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), na‐
499 gios_mail_plugin_selinux(8), nagios_mail_plugin_selinux(8), na‐
500 gios_openshift_plugin_selinux(8), nagios_openshift_plugin_selinux(8),
501 nagios_script_selinux(8), nagios_script_selinux(8), nagios_ser‐
502 vices_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_sys‐
503 tem_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_uncon‐
504 fined_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
505
506
507
508nagios 21-11-19 nagios_selinux(8)