1nagios_selinux(8)            SELinux Policy nagios           nagios_selinux(8)
2
3
4

NAME

6       nagios_selinux  -  Security  Enhanced  Linux Policy for the nagios pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  nagios  processes  via  flexible
11       mandatory access control.
12
13       The  nagios  processes  execute with the nagios_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep nagios_t
20
21
22

ENTRYPOINTS

24       The  nagios_t  SELinux  type  can be entered via the nagios_exec_t file
25       type.
26
27       The default entrypoint paths for the nagios_t domain are the following:
28
29       /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga, /usr/sbin/nagios
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       nagios policy is very flexible allowing users  to  setup  their  nagios
39       processes in as secure a method as possible.
40
41       The following process types are defined for nagios:
42
43       nagios_t, nagios_admin_plugin_t, nagios_checkdisk_plugin_t, nagios_mail_plugin_t, nagios_services_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_eventhandler_plugin_t, nagios_openshift_plugin_t, nagios_script_t
44
45       Note:  semanage  permissive -a nagios_t can be used to make the process
46       type nagios_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   nagios
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run nagios with the tightest access possible.
55
56
57
58       If you want to allow nagios run in  conjunction  with  PNP4Nagios,  you
59       must turn on the nagios_run_pnp4nagios boolean. Disabled by default.
60
61       setsebool -P nagios_run_pnp4nagios 1
62
63
64
65       If  you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
66       you must turn on the nagios_run_sudo boolean. Disabled by default.
67
68       setsebool -P nagios_run_sudo 1
69
70
71
72       If you want to determine whether Nagios, NRPE can access nfs file  sys‐
73       tems, you must turn on the nagios_use_nfs boolean. Disabled by default.
74
75       setsebool -P nagios_use_nfs 1
76
77
78
79       If you want to allow all domains to execute in fips_mode, you must turn
80       on the fips_mode boolean. Enabled by default.
81
82       setsebool -P fips_mode 1
83
84
85

MANAGED FILES

87       The SELinux process type nagios_t can manage  files  labeled  with  the
88       following file types.  The paths listed are the default paths for these
89       file types.  Note the processes UID still need to have DAC permissions.
90
91       cluster_conf_t
92
93            /etc/cluster(/.*)?
94
95       cluster_var_lib_t
96
97            /var/lib/pcsd(/.*)?
98            /var/lib/cluster(/.*)?
99            /var/lib/openais(/.*)?
100            /var/lib/pengine(/.*)?
101            /var/lib/corosync(/.*)?
102            /usr/lib/heartbeat(/.*)?
103            /var/lib/heartbeat(/.*)?
104            /var/lib/pacemaker(/.*)?
105
106       cluster_var_run_t
107
108            /var/run/crm(/.*)?
109            /var/run/cman_.*
110            /var/run/rsctmp(/.*)?
111            /var/run/aisexec.*
112            /var/run/heartbeat(/.*)?
113            /var/run/pcsd-ruby.socket
114            /var/run/corosync-qnetd(/.*)?
115            /var/run/corosync-qdevice(/.*)?
116            /var/run/corosync.pid
117            /var/run/cpglockd.pid
118            /var/run/rgmanager.pid
119            /var/run/cluster/rgmanager.sk
120
121       faillog_t
122
123            /var/log/btmp.*
124            /var/log/faillog.*
125            /var/log/tallylog.*
126            /var/run/faillock(/.*)?
127
128       krb5_host_rcache_t
129
130            /var/tmp/krb5_0.rcache2
131            /var/cache/krb5rcache(/.*)?
132            /var/tmp/nfs_0
133            /var/tmp/DNS_25
134            /var/tmp/host_0
135            /var/tmp/imap_0
136            /var/tmp/HTTP_23
137            /var/tmp/HTTP_48
138            /var/tmp/ldap_55
139            /var/tmp/ldap_487
140            /var/tmp/ldapmap1_0
141
142       lastlog_t
143
144            /var/log/lastlog.*
145
146       nagios_log_t
147
148            /var/log/icinga(/.*)?
149            /var/log/nagios(/.*)?
150            /var/log/netsaint(/.*)?
151            /var/log/pnp4nagios(/.*)?
152
153       nagios_spool_t
154
155            /var/spool/icinga(/.*)?
156            /var/spool/nagios(/.*)?
157
158       nagios_tmp_t
159
160
161       nagios_var_lib_t
162
163            /usr/lib/pnp4nagios(/.*)?
164            /var/lib/pnp4nagios(/.*)?
165
166       nagios_var_run_t
167
168            /var/run/nagios.*
169
170       nfs_t
171
172
173       root_t
174
175            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
176            /
177            /initrd
178
179       security_t
180
181            /selinux
182
183       sudo_db_t
184
185            /var/db/sudo(/.*)?
186
187       systemd_passwd_var_run_t
188
189            /var/run/systemd/ask-password(/.*)?
190            /var/run/systemd/ask-password-block(/.*)?
191
192

FILE CONTEXTS

194       SELinux requires files to have an extended attribute to define the file
195       type.
196
197       You can see the context of a file using the -Z option to ls
198
199       Policy  governs  the  access  confined  processes  have to these files.
200       SELinux nagios policy is very flexible allowing users  to  setup  their
201       nagios processes in as secure a method as possible.
202
203       STANDARD FILE CONTEXT
204
205       SELinux defines the file context types for the nagios, if you wanted to
206       store files with these types in a diffent paths, you  need  to  execute
207       the  semanage  command  to  specify alternate labeling and then use re‐
208       storecon to put the labels on disk.
209
210       semanage  fcontext  -a   -t   nagios_ra_content_t   '/srv/mynagios_con‐
211       tent(/.*)?'
212       restorecon -R -v /srv/mynagios_content
213
214       Note:  SELinux  often  uses  regular expressions to specify labels that
215       match multiple files.
216
217       The following file types are defined for nagios:
218
219
220
221       nagios_admin_plugin_exec_t
222
223       - Set files with the nagios_admin_plugin_exec_t type, if  you  want  to
224       transition an executable to the nagios_admin_plugin_t domain.
225
226
227
228       nagios_checkdisk_plugin_exec_t
229
230       -  Set  files with the nagios_checkdisk_plugin_exec_t type, if you want
231       to transition an executable to the nagios_checkdisk_plugin_t domain.
232
233
234       Paths:
235            /usr/lib/nagios/plugins/check_disk,          /usr/lib/nagios/plug‐
236            ins/check_disk_smb,       /usr/lib/nagios/plugins/check_ide_smart,
237            /usr/lib/nagios/plugins/check_linux_raid
238
239
240       nagios_content_t
241
242       - Set files with the nagios_content_t type, if you want  to  treat  the
243       files as nagios content.
244
245
246
247       nagios_etc_t
248
249       -  Set  files  with  the nagios_etc_t type, if you want to store nagios
250       files in the /etc directories.
251
252
253       Paths:
254            /etc/icinga(/.*)?, /etc/nagios(/.*)?, /etc/pnp4nagios(/.*)?
255
256
257       nagios_eventhandler_plugin_exec_t
258
259       - Set files with the  nagios_eventhandler_plugin_exec_t  type,  if  you
260       want  to  transition  an executable to the nagios_eventhandler_plugin_t
261       domain.
262
263
264       Paths:
265            /usr/lib/icinga/plugins/eventhandlers(/.*),  /usr/lib/nagios/plug‐
266            ins/eventhandlers(/.*)
267
268
269       nagios_eventhandler_plugin_tmp_t
270
271       - Set files with the nagios_eventhandler_plugin_tmp_t type, if you want
272       to store nagios eventhandler plugin temporary files in the /tmp  direc‐
273       tories.
274
275
276
277       nagios_exec_t
278
279       -  Set  files with the nagios_exec_t type, if you want to transition an
280       executable to the nagios_t domain.
281
282
283       Paths:
284            /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga,  /usr/sbin/na‐
285            gios
286
287
288       nagios_htaccess_t
289
290       -  Set  files with the nagios_htaccess_t type, if you want to treat the
291       file as a nagios access file.
292
293
294
295       nagios_initrc_exec_t
296
297       - Set files with the nagios_initrc_exec_t type, if you want to  transi‐
298       tion an executable to the nagios_initrc_t domain.
299
300
301       Paths:
302            /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios
303
304
305       nagios_log_t
306
307       -  Set  files with the nagios_log_t type, if you want to treat the data
308       as nagios log data, usually stored under the /var/log directory.
309
310
311       Paths:
312            /var/log/icinga(/.*)?,    /var/log/nagios(/.*)?,     /var/log/net‐
313            saint(/.*)?, /var/log/pnp4nagios(/.*)?
314
315
316       nagios_mail_plugin_exec_t
317
318       -  Set  files  with  the nagios_mail_plugin_exec_t type, if you want to
319       transition an executable to the nagios_mail_plugin_t domain.
320
321
322
323       nagios_openshift_plugin_exec_t
324
325       - Set files with the nagios_openshift_plugin_exec_t type, if  you  want
326       to transition an executable to the nagios_openshift_plugin_t domain.
327
328
329       Paths:
330            /usr/lib64/nagios/plugins/check_node_accept_status, /usr/lib64/na‐
331            gios/plugins/check_number_openshift_apps
332
333
334       nagios_openshift_plugin_tmp_t
335
336       - Set files with the nagios_openshift_plugin_tmp_t type, if you want to
337       store nagios openshift plugin temporary files in the /tmp directories.
338
339
340
341       nagios_ra_content_t
342
343       - Set files with the nagios_ra_content_t type, if you want to treat the
344       files as nagios read/append content.
345
346
347
348       nagios_rw_content_t
349
350       - Set files with the nagios_rw_content_t type, if you want to treat the
351       files as nagios read/write content.
352
353
354
355       nagios_script_exec_t
356
357       -  Set files with the nagios_script_exec_t type, if you want to transi‐
358       tion an executable to the nagios_script_t domain.
359
360
361       Paths:
362            /usr/lib/icinga/cgi(/.*)?,              /usr/lib/nagios/cgi(/.*)?,
363            /usr/lib/cgi-bin/nagios(/.+)?,      /usr/lib/nagios/cgi-bin(/.*)?,
364            /usr/lib/cgi-bin/netsaint(/.*)?
365
366
367       nagios_services_plugin_exec_t
368
369       - Set files with the nagios_services_plugin_exec_t type, if you want to
370       transition an executable to the nagios_services_plugin_t domain.
371
372
373       Paths:
374            /usr/lib(64)?/nagios/plugins/check_nt,  /usr/lib(64)?/nagios/plug‐
375            ins/check_dig,             /usr/lib(64)?/nagios/plugins/check_dns,
376            /usr/lib(64)?/nagios/plugins/check_rpc, /usr/lib(64)?/nagios/plug‐
377            ins/check_sip,             /usr/lib(64)?/nagios/plugins/check_ssh,
378            /usr/lib(64)?/nagios/plugins/check_tcp, /usr/lib(64)?/nagios/plug‐
379            ins/check_ups,            /usr/lib(64)?/nagios/plugins/check_dhcp,
380            /usr/lib(64)?/nagios/plugins/check_game,         /usr/lib(64)?/na‐
381            gios/plugins/check_hpjd,  /usr/lib(64)?/nagios/plugins/check_http,
382            /usr/lib(64)?/nagios/plugins/check_icmp,         /usr/lib(64)?/na‐
383            gios/plugins/check_ircd,  /usr/lib(64)?/nagios/plugins/check_ldap,
384            /usr/lib(64)?/nagios/plugins/check_nrpe,         /usr/lib(64)?/na‐
385            gios/plugins/check_ping,  /usr/lib(64)?/nagios/plugins/check_real,
386            /usr/lib(64)?/nagios/plugins/check_smtp,         /usr/lib(64)?/na‐
387            gios/plugins/check_time, /usr/lib(64)?/nagios/plugins/check_dummy,
388            /usr/lib(64)?/nagios/plugins/check_fping,        /usr/lib(64)?/na‐
389            gios/plugins/check_mysql,               /usr/lib(64)?/nagios/plug‐
390            ins/check_ntp.*,         /usr/lib(64)?/nagios/plugins/check_pgsql,
391            /usr/lib(64)?/nagios/plugins/check_breeze,       /usr/lib(64)?/na‐
392            gios/plugins/check_oracle,  /usr/lib(64)?/nagios/plugins/check_ra‐
393            dius, /usr/lib(64)?/nagios/plugins/check_snmp.*, /usr/lib(64)?/na‐
394            gios/plugins/check_cluster,             /usr/lib(64)?/nagios/plug‐
395            ins/check_mysql_query
396
397
398       nagios_spool_t
399
400       - Set files with the nagios_spool_t type, if you want to store the  na‐
401       gios files under the /var/spool directory.
402
403
404       Paths:
405            /var/spool/icinga(/.*)?, /var/spool/nagios(/.*)?
406
407
408       nagios_system_plugin_exec_t
409
410       -  Set  files with the nagios_system_plugin_exec_t type, if you want to
411       transition an executable to the nagios_system_plugin_t domain.
412
413
414       Paths:
415            /usr/lib(64)?/nagios/plugins/check_log, /usr/lib(64)?/nagios/plug‐
416            ins/check_load,           /usr/lib(64)?/nagios/plugins/check_mrtg,
417            /usr/lib(64)?/nagios/plugins/check_swap,         /usr/lib(64)?/na‐
418            gios/plugins/check_wave, /usr/lib(64)?/nagios/plugins/check_procs,
419            /usr/lib(64)?/nagios/plugins/check_users,        /usr/lib(64)?/na‐
420            gios/plugins/check_flexlm,  /usr/lib(64)?/nagios/plugins/check_na‐
421            gios, /usr/lib(64)?/nagios/plugins/check_nwstat, /usr/lib(64)?/na‐
422            gios/plugins/check_overcr, /usr/lib(64)?/nagios/plugins/check_sen‐
423            sors,                 /usr/lib(64)?/nagios/plugins/check_ifstatus,
424            /usr/lib(64)?/nagios/plugins/check_mrtgtraf,     /usr/lib(64)?/na‐
425            gios/plugins/check_ifoperstatus
426
427
428       nagios_system_plugin_tmp_t
429
430       - Set files with the nagios_system_plugin_tmp_t type, if  you  want  to
431       store nagios system plugin temporary files in the /tmp directories.
432
433
434
435       nagios_tmp_t
436
437       -  Set  files  with  the nagios_tmp_t type, if you want to store nagios
438       temporary files in the /tmp directories.
439
440
441
442       nagios_unconfined_plugin_exec_t
443
444       - Set files with the nagios_unconfined_plugin_exec_t type, if you  want
445       to transition an executable to the nagios_unconfined_plugin_t domain.
446
447
448
449       nagios_var_lib_t
450
451       -  Set  files  with the nagios_var_lib_t type, if you want to store the
452       nagios files under the /var/lib directory.
453
454
455       Paths:
456            /usr/lib/pnp4nagios(/.*)?, /var/lib/pnp4nagios(/.*)?
457
458
459       nagios_var_run_t
460
461       - Set files with the nagios_var_run_t type, if you want  to  store  the
462       nagios files under the /run or /var/run directory.
463
464
465
466       Note:  File context can be temporarily modified with the chcon command.
467       If you want to permanently change the file context you need to use  the
468       semanage fcontext command.  This will modify the SELinux labeling data‐
469       base.  You will need to use restorecon to apply the labels.
470
471

COMMANDS

473       semanage fcontext can also be used to manipulate default  file  context
474       mappings.
475
476       semanage  permissive  can  also  be used to manipulate whether or not a
477       process type is permissive.
478
479       semanage module can also be used to enable/disable/install/remove  pol‐
480       icy modules.
481
482       semanage boolean can also be used to manipulate the booleans
483
484
485       system-config-selinux is a GUI tool available to customize SELinux pol‐
486       icy settings.
487
488

AUTHOR

490       This manual page was auto-generated using sepolicy manpage .
491
492

SEE ALSO

494       selinux(8), nagios(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
495       icy(8),    setsebool(8),   nagios_admin_plugin_selinux(8),   nagios_ad‐
496       min_plugin_selinux(8),     nagios_checkdisk_plugin_selinux(8),      na‐
497       gios_checkdisk_plugin_selinux(8),                          nagios_even‐
498       thandler_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8),  na‐
499       gios_mail_plugin_selinux(8),     nagios_mail_plugin_selinux(8),     na‐
500       gios_openshift_plugin_selinux(8),   nagios_openshift_plugin_selinux(8),
501       nagios_script_selinux(8),     nagios_script_selinux(8),     nagios_ser‐
502       vices_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_sys‐
503       tem_plugin_selinux(8),  nagios_system_plugin_selinux(8),  nagios_uncon‐
504       fined_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
505
506
507
508nagios                             21-11-19                  nagios_selinux(8)
Impressum