1nagios_selinux(8) SELinux Policy nagios nagios_selinux(8)
2
3
4
6 nagios_selinux - Security Enhanced Linux Policy for the nagios pro‐
7 cesses
8
10 Security-Enhanced Linux secures the nagios processes via flexible
11 mandatory access control.
12
13 The nagios processes execute with the nagios_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep nagios_t
20
21
22
24 The nagios_t SELinux type can be entered via the nagios_exec_t file
25 type.
26
27 The default entrypoint paths for the nagios_t domain are the following:
28
29 /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga, /usr/sbin/nagios
30
32 SELinux defines process types (domains) for each process running on the
33 system
34
35 You can see the context of a process using the -Z option to ps
36
37 Policy governs the access confined processes have to files. SELinux
38 nagios policy is very flexible allowing users to setup their nagios
39 processes in as secure a method as possible.
40
41 The following process types are defined for nagios:
42
43 nagios_t, nagios_admin_plugin_t, nagios_checkdisk_plugin_t, nagios_mail_plugin_t, nagios_services_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_eventhandler_plugin_t, nagios_openshift_plugin_t, nagios_script_t
44
45 Note: semanage permissive -a nagios_t can be used to make the process
46 type nagios_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
50
52 SELinux policy is customizable based on least access required. nagios
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run nagios with the tightest access possible.
55
56
57
58 If you want to allow nagios run in conjunction with PNP4Nagios, you
59 must turn on the nagios_run_pnp4nagios boolean. Disabled by default.
60
61 setsebool -P nagios_run_pnp4nagios 1
62
63
64
65 If you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
66 you must turn on the nagios_run_sudo boolean. Disabled by default.
67
68 setsebool -P nagios_run_sudo 1
69
70
71
72 If you want to determine whether Nagios, NRPE can access nfs file sys‐
73 tems, you must turn on the nagios_use_nfs boolean. Disabled by default.
74
75 setsebool -P nagios_use_nfs 1
76
77
78
79 If you want to dontaudit all daemons scheduling requests (setsched,
80 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
81 Enabled by default.
82
83 setsebool -P daemons_dontaudit_scheduling 1
84
85
86
87 If you want to allow all domains to execute in fips_mode, you must turn
88 on the fips_mode boolean. Enabled by default.
89
90 setsebool -P fips_mode 1
91
92
93
94 If you want to allow system to run with NIS, you must turn on the
95 nis_enabled boolean. Disabled by default.
96
97 setsebool -P nis_enabled 1
98
99
100
102 The SELinux process type nagios_t can manage files labeled with the
103 following file types. The paths listed are the default paths for these
104 file types. Note the processes UID still need to have DAC permissions.
105
106 cluster_conf_t
107
108 /etc/cluster(/.*)?
109
110 cluster_var_lib_t
111
112 /var/lib/pcsd(/.*)?
113 /var/lib/cluster(/.*)?
114 /var/lib/openais(/.*)?
115 /var/lib/pengine(/.*)?
116 /var/lib/corosync(/.*)?
117 /usr/lib/heartbeat(/.*)?
118 /var/lib/heartbeat(/.*)?
119 /var/lib/pacemaker(/.*)?
120
121 cluster_var_run_t
122
123 /var/run/crm(/.*)?
124 /var/run/cman_.*
125 /var/run/rsctmp(/.*)?
126 /var/run/aisexec.*
127 /var/run/heartbeat(/.*)?
128 /var/run/pcsd-ruby.socket
129 /var/run/corosync-qnetd(/.*)?
130 /var/run/corosync-qdevice(/.*)?
131 /var/run/corosync.pid
132 /var/run/cpglockd.pid
133 /var/run/rgmanager.pid
134 /var/run/cluster/rgmanager.sk
135
136 faillog_t
137
138 /var/log/btmp.*
139 /var/log/faillog.*
140 /var/log/tallylog.*
141 /var/run/faillock(/.*)?
142
143 krb5_host_rcache_t
144
145 /var/tmp/krb5_0.rcache2
146 /var/cache/krb5rcache(/.*)?
147 /var/tmp/nfs_0
148 /var/tmp/DNS_25
149 /var/tmp/host_0
150 /var/tmp/imap_0
151 /var/tmp/HTTP_23
152 /var/tmp/HTTP_48
153 /var/tmp/ldap_55
154 /var/tmp/ldap_487
155 /var/tmp/ldapmap1_0
156
157 lastlog_t
158
159 /var/log/lastlog.*
160
161 nagios_log_t
162
163 /var/log/icinga(/.*)?
164 /var/log/nagios(/.*)?
165 /var/log/netsaint(/.*)?
166 /var/log/pnp4nagios(/.*)?
167
168 nagios_spool_t
169
170 /var/spool/icinga(/.*)?
171 /var/spool/nagios(/.*)?
172
173 nagios_tmp_t
174
175
176 nagios_var_lib_t
177
178 /usr/lib/pnp4nagios(/.*)?
179 /var/lib/pnp4nagios(/.*)?
180
181 nagios_var_run_t
182
183 /var/run/nagios.*
184
185 nfs_t
186
187
188 root_t
189
190 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
191 /
192 /initrd
193
194 security_t
195
196 /selinux
197
198 sudo_db_t
199
200 /var/db/sudo(/.*)?
201
202 systemd_passwd_var_run_t
203
204 /var/run/systemd/ask-password(/.*)?
205 /var/run/systemd/ask-password-block(/.*)?
206
207
209 SELinux requires files to have an extended attribute to define the file
210 type.
211
212 You can see the context of a file using the -Z option to ls
213
214 Policy governs the access confined processes have to these files.
215 SELinux nagios policy is very flexible allowing users to setup their
216 nagios processes in as secure a method as possible.
217
218 STANDARD FILE CONTEXT
219
220 SELinux defines the file context types for the nagios, if you wanted to
221 store files with these types in a different paths, you need to execute
222 the semanage command to specify alternate labeling and then use re‐
223 storecon to put the labels on disk.
224
225 semanage fcontext -a -t nagios_exec_t '/srv/nagios/content(/.*)?'
226 restorecon -R -v /srv/mynagios_content
227
228 Note: SELinux often uses regular expressions to specify labels that
229 match multiple files.
230
231 The following file types are defined for nagios:
232
233
234
235 nagios_admin_plugin_exec_t
236
237 - Set files with the nagios_admin_plugin_exec_t type, if you want to
238 transition an executable to the nagios_admin_plugin_t domain.
239
240
241
242 nagios_checkdisk_plugin_exec_t
243
244 - Set files with the nagios_checkdisk_plugin_exec_t type, if you want
245 to transition an executable to the nagios_checkdisk_plugin_t domain.
246
247
248 Paths:
249 /usr/lib/nagios/plugins/check_disk, /usr/lib/nagios/plug‐
250 ins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart,
251 /usr/lib/nagios/plugins/check_linux_raid
252
253
254 nagios_content_t
255
256 - Set files with the nagios_content_t type, if you want to treat the
257 files as nagios content.
258
259
260
261 nagios_etc_t
262
263 - Set files with the nagios_etc_t type, if you want to store nagios
264 files in the /etc directories.
265
266
267 Paths:
268 /etc/icinga(/.*)?, /etc/nagios(/.*)?, /etc/pnp4nagios(/.*)?
269
270
271 nagios_eventhandler_plugin_exec_t
272
273 - Set files with the nagios_eventhandler_plugin_exec_t type, if you
274 want to transition an executable to the nagios_eventhandler_plugin_t
275 domain.
276
277
278 Paths:
279 /usr/lib/icinga/plugins/eventhandlers(/.*), /usr/lib/nagios/plug‐
280 ins/eventhandlers(/.*)
281
282
283 nagios_eventhandler_plugin_tmp_t
284
285 - Set files with the nagios_eventhandler_plugin_tmp_t type, if you want
286 to store nagios eventhandler plugin temporary files in the /tmp direc‐
287 tories.
288
289
290
291 nagios_exec_t
292
293 - Set files with the nagios_exec_t type, if you want to transition an
294 executable to the nagios_t domain.
295
296
297 Paths:
298 /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga, /usr/sbin/na‐
299 gios
300
301
302 nagios_htaccess_t
303
304 - Set files with the nagios_htaccess_t type, if you want to treat the
305 file as a nagios access file.
306
307
308
309 nagios_initrc_exec_t
310
311 - Set files with the nagios_initrc_exec_t type, if you want to transi‐
312 tion an executable to the nagios_initrc_t domain.
313
314
315 Paths:
316 /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios
317
318
319 nagios_log_t
320
321 - Set files with the nagios_log_t type, if you want to treat the data
322 as nagios log data, usually stored under the /var/log directory.
323
324
325 Paths:
326 /var/log/icinga(/.*)?, /var/log/nagios(/.*)?, /var/log/net‐
327 saint(/.*)?, /var/log/pnp4nagios(/.*)?
328
329
330 nagios_mail_plugin_exec_t
331
332 - Set files with the nagios_mail_plugin_exec_t type, if you want to
333 transition an executable to the nagios_mail_plugin_t domain.
334
335
336
337 nagios_openshift_plugin_exec_t
338
339 - Set files with the nagios_openshift_plugin_exec_t type, if you want
340 to transition an executable to the nagios_openshift_plugin_t domain.
341
342
343 Paths:
344 /usr/lib64/nagios/plugins/check_node_accept_status, /usr/lib64/na‐
345 gios/plugins/check_number_openshift_apps
346
347
348 nagios_openshift_plugin_tmp_t
349
350 - Set files with the nagios_openshift_plugin_tmp_t type, if you want to
351 store nagios openshift plugin temporary files in the /tmp directories.
352
353
354
355 nagios_ra_content_t
356
357 - Set files with the nagios_ra_content_t type, if you want to treat the
358 files as nagios read/append content.
359
360
361
362 nagios_rw_content_t
363
364 - Set files with the nagios_rw_content_t type, if you want to treat the
365 files as nagios read/write content.
366
367
368
369 nagios_script_exec_t
370
371 - Set files with the nagios_script_exec_t type, if you want to transi‐
372 tion an executable to the nagios_script_t domain.
373
374
375 Paths:
376 /usr/lib/icinga/cgi(/.*)?, /usr/lib/nagios/cgi(/.*)?,
377 /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?,
378 /usr/lib/cgi-bin/netsaint(/.*)?
379
380
381 nagios_services_plugin_exec_t
382
383 - Set files with the nagios_services_plugin_exec_t type, if you want to
384 transition an executable to the nagios_services_plugin_t domain.
385
386
387 Paths:
388 /usr/lib(64)?/nagios/plugins/check_nt, /usr/lib(64)?/nagios/plug‐
389 ins/check_dig, /usr/lib(64)?/nagios/plugins/check_dns,
390 /usr/lib(64)?/nagios/plugins/check_rpc, /usr/lib(64)?/nagios/plug‐
391 ins/check_sip, /usr/lib(64)?/nagios/plugins/check_ssh,
392 /usr/lib(64)?/nagios/plugins/check_tcp, /usr/lib(64)?/nagios/plug‐
393 ins/check_ups, /usr/lib(64)?/nagios/plugins/check_dhcp,
394 /usr/lib(64)?/nagios/plugins/check_game, /usr/lib(64)?/na‐
395 gios/plugins/check_hpjd, /usr/lib(64)?/nagios/plugins/check_http,
396 /usr/lib(64)?/nagios/plugins/check_icmp, /usr/lib(64)?/na‐
397 gios/plugins/check_ircd, /usr/lib(64)?/nagios/plugins/check_ldap,
398 /usr/lib(64)?/nagios/plugins/check_nrpe, /usr/lib(64)?/na‐
399 gios/plugins/check_ping, /usr/lib(64)?/nagios/plugins/check_real,
400 /usr/lib(64)?/nagios/plugins/check_smtp, /usr/lib(64)?/na‐
401 gios/plugins/check_time, /usr/lib(64)?/nagios/plugins/check_dummy,
402 /usr/lib(64)?/nagios/plugins/check_fping, /usr/lib(64)?/na‐
403 gios/plugins/check_mysql, /usr/lib(64)?/nagios/plug‐
404 ins/check_ntp.*, /usr/lib(64)?/nagios/plugins/check_pgsql,
405 /usr/lib(64)?/nagios/plugins/check_breeze, /usr/lib(64)?/na‐
406 gios/plugins/check_oracle, /usr/lib(64)?/nagios/plugins/check_ra‐
407 dius, /usr/lib(64)?/nagios/plugins/check_snmp.*, /usr/lib(64)?/na‐
408 gios/plugins/check_cluster, /usr/lib(64)?/nagios/plug‐
409 ins/check_mysql_query
410
411
412 nagios_spool_t
413
414 - Set files with the nagios_spool_t type, if you want to store the na‐
415 gios files under the /var/spool directory.
416
417
418 Paths:
419 /var/spool/icinga(/.*)?, /var/spool/nagios(/.*)?
420
421
422 nagios_system_plugin_exec_t
423
424 - Set files with the nagios_system_plugin_exec_t type, if you want to
425 transition an executable to the nagios_system_plugin_t domain.
426
427
428 Paths:
429 /usr/lib(64)?/nagios/plugins/check_log, /usr/lib(64)?/nagios/plug‐
430 ins/check_load, /usr/lib(64)?/nagios/plugins/check_mrtg,
431 /usr/lib(64)?/nagios/plugins/check_swap, /usr/lib(64)?/na‐
432 gios/plugins/check_wave, /usr/lib(64)?/nagios/plugins/check_procs,
433 /usr/lib(64)?/nagios/plugins/check_users, /usr/lib(64)?/na‐
434 gios/plugins/check_flexlm, /usr/lib(64)?/nagios/plugins/check_na‐
435 gios, /usr/lib(64)?/nagios/plugins/check_nwstat, /usr/lib(64)?/na‐
436 gios/plugins/check_overcr, /usr/lib(64)?/nagios/plugins/check_sen‐
437 sors, /usr/lib(64)?/nagios/plugins/check_ifstatus,
438 /usr/lib(64)?/nagios/plugins/check_mrtgtraf, /usr/lib(64)?/na‐
439 gios/plugins/check_ifoperstatus
440
441
442 nagios_system_plugin_tmp_t
443
444 - Set files with the nagios_system_plugin_tmp_t type, if you want to
445 store nagios system plugin temporary files in the /tmp directories.
446
447
448
449 nagios_tmp_t
450
451 - Set files with the nagios_tmp_t type, if you want to store nagios
452 temporary files in the /tmp directories.
453
454
455
456 nagios_unconfined_plugin_exec_t
457
458 - Set files with the nagios_unconfined_plugin_exec_t type, if you want
459 to transition an executable to the nagios_unconfined_plugin_t domain.
460
461
462
463 nagios_var_lib_t
464
465 - Set files with the nagios_var_lib_t type, if you want to store the
466 nagios files under the /var/lib directory.
467
468
469 Paths:
470 /usr/lib/pnp4nagios(/.*)?, /var/lib/pnp4nagios(/.*)?
471
472
473 nagios_var_run_t
474
475 - Set files with the nagios_var_run_t type, if you want to store the
476 nagios files under the /run or /var/run directory.
477
478
479
480 Note: File context can be temporarily modified with the chcon command.
481 If you want to permanently change the file context you need to use the
482 semanage fcontext command. This will modify the SELinux labeling data‐
483 base. You will need to use restorecon to apply the labels.
484
485
487 semanage fcontext can also be used to manipulate default file context
488 mappings.
489
490 semanage permissive can also be used to manipulate whether or not a
491 process type is permissive.
492
493 semanage module can also be used to enable/disable/install/remove pol‐
494 icy modules.
495
496 semanage boolean can also be used to manipulate the booleans
497
498
499 system-config-selinux is a GUI tool available to customize SELinux pol‐
500 icy settings.
501
502
504 This manual page was auto-generated using sepolicy manpage .
505
506
508 selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1), sepol‐
509 icy(8), setsebool(8), nagios_admin_plugin_selinux(8), nagios_ad‐
510 min_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), na‐
511 gios_checkdisk_plugin_selinux(8), nagios_even‐
512 thandler_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), na‐
513 gios_mail_plugin_selinux(8), nagios_mail_plugin_selinux(8), na‐
514 gios_openshift_plugin_selinux(8), nagios_openshift_plugin_selinux(8),
515 nagios_script_selinux(8), nagios_script_selinux(8), nagios_ser‐
516 vices_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_sys‐
517 tem_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_uncon‐
518 fined_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
519
520
521
522nagios 23-10-20 nagios_selinux(8)