1nagios_selinux(8)            SELinux Policy nagios           nagios_selinux(8)
2
3
4

NAME

6       nagios_selinux  -  Security  Enhanced  Linux Policy for the nagios pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  nagios  processes  via  flexible
11       mandatory access control.
12
13       The  nagios  processes  execute with the nagios_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep nagios_t
20
21
22

ENTRYPOINTS

24       The  nagios_t  SELinux  type  can be entered via the nagios_exec_t file
25       type.
26
27       The default entrypoint paths for the nagios_t domain are the following:
28
29       /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga, /usr/sbin/nagios
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       nagios policy is very flexible allowing users  to  setup  their  nagios
39       processes in as secure a method as possible.
40
41       The following process types are defined for nagios:
42
43       nagios_t, nagios_admin_plugin_t, nagios_checkdisk_plugin_t, nagios_mail_plugin_t, nagios_services_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_eventhandler_plugin_t, nagios_openshift_plugin_t, nagios_script_t
44
45       Note:  semanage  permissive -a nagios_t can be used to make the process
46       type nagios_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   nagios
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run nagios with the tightest access possible.
55
56
57
58       If you want to allow nagios run in  conjunction  with  PNP4Nagios,  you
59       must turn on the nagios_run_pnp4nagios boolean. Disabled by default.
60
61       setsebool -P nagios_run_pnp4nagios 1
62
63
64
65       If  you want to allow nagios/nrpe to call sudo from NRPE utils scripts,
66       you must turn on the nagios_run_sudo boolean. Disabled by default.
67
68       setsebool -P nagios_run_sudo 1
69
70
71
72       If you want to determine whether Nagios, NRPE can access nfs file  sys‐
73       tems, you must turn on the nagios_use_nfs boolean. Disabled by default.
74
75       setsebool -P nagios_use_nfs 1
76
77
78
79       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
80       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
81       Enabled by default.
82
83       setsebool -P daemons_dontaudit_scheduling 1
84
85
86
87       If you want to allow all domains to execute in fips_mode, you must turn
88       on the fips_mode boolean. Enabled by default.
89
90       setsebool -P fips_mode 1
91
92
93
94       If you want to allow system to run with  NIS,  you  must  turn  on  the
95       nis_enabled boolean. Disabled by default.
96
97       setsebool -P nis_enabled 1
98
99
100

MANAGED FILES

102       The  SELinux  process  type  nagios_t can manage files labeled with the
103       following file types.  The paths listed are the default paths for these
104       file types.  Note the processes UID still need to have DAC permissions.
105
106       cluster_conf_t
107
108            /etc/cluster(/.*)?
109
110       cluster_var_lib_t
111
112            /var/lib/pcsd(/.*)?
113            /var/lib/cluster(/.*)?
114            /var/lib/openais(/.*)?
115            /var/lib/pengine(/.*)?
116            /var/lib/corosync(/.*)?
117            /usr/lib/heartbeat(/.*)?
118            /var/lib/heartbeat(/.*)?
119            /var/lib/pacemaker(/.*)?
120
121       cluster_var_run_t
122
123            /var/run/crm(/.*)?
124            /var/run/cman_.*
125            /var/run/rsctmp(/.*)?
126            /var/run/aisexec.*
127            /var/run/heartbeat(/.*)?
128            /var/run/pcsd-ruby.socket
129            /var/run/corosync-qnetd(/.*)?
130            /var/run/corosync-qdevice(/.*)?
131            /var/run/corosync.pid
132            /var/run/cpglockd.pid
133            /var/run/rgmanager.pid
134            /var/run/cluster/rgmanager.sk
135
136       faillog_t
137
138            /var/log/btmp.*
139            /var/log/faillog.*
140            /var/log/tallylog.*
141            /var/run/faillock(/.*)?
142
143       krb5_host_rcache_t
144
145            /var/tmp/krb5_0.rcache2
146            /var/cache/krb5rcache(/.*)?
147            /var/tmp/nfs_0
148            /var/tmp/DNS_25
149            /var/tmp/host_0
150            /var/tmp/imap_0
151            /var/tmp/HTTP_23
152            /var/tmp/HTTP_48
153            /var/tmp/ldap_55
154            /var/tmp/ldap_487
155            /var/tmp/ldapmap1_0
156
157       lastlog_t
158
159            /var/log/lastlog.*
160
161       nagios_log_t
162
163            /var/log/icinga(/.*)?
164            /var/log/nagios(/.*)?
165            /var/log/netsaint(/.*)?
166            /var/log/pnp4nagios(/.*)?
167
168       nagios_spool_t
169
170            /var/spool/icinga(/.*)?
171            /var/spool/nagios(/.*)?
172
173       nagios_tmp_t
174
175
176       nagios_var_lib_t
177
178            /usr/lib/pnp4nagios(/.*)?
179            /var/lib/pnp4nagios(/.*)?
180
181       nagios_var_run_t
182
183            /var/run/nagios.*
184
185       nfs_t
186
187
188       root_t
189
190            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
191            /
192            /initrd
193
194       security_t
195
196            /selinux
197
198       sudo_db_t
199
200            /var/db/sudo(/.*)?
201
202       systemd_passwd_var_run_t
203
204            /var/run/systemd/ask-password(/.*)?
205            /var/run/systemd/ask-password-block(/.*)?
206
207

FILE CONTEXTS

209       SELinux requires files to have an extended attribute to define the file
210       type.
211
212       You can see the context of a file using the -Z option to ls
213
214       Policy governs the access  confined  processes  have  to  these  files.
215       SELinux  nagios  policy  is very flexible allowing users to setup their
216       nagios processes in as secure a method as possible.
217
218       STANDARD FILE CONTEXT
219
220       SELinux defines the file context types for the nagios, if you wanted to
221       store  files with these types in a different paths, you need to execute
222       the semanage command to specify alternate labeling  and  then  use  re‐
223       storecon to put the labels on disk.
224
225       semanage fcontext -a -t nagios_exec_t '/srv/nagios/content(/.*)?'
226       restorecon -R -v /srv/mynagios_content
227
228       Note:  SELinux  often  uses  regular expressions to specify labels that
229       match multiple files.
230
231       The following file types are defined for nagios:
232
233
234
235       nagios_admin_plugin_exec_t
236
237       - Set files with the nagios_admin_plugin_exec_t type, if  you  want  to
238       transition an executable to the nagios_admin_plugin_t domain.
239
240
241
242       nagios_checkdisk_plugin_exec_t
243
244       -  Set  files with the nagios_checkdisk_plugin_exec_t type, if you want
245       to transition an executable to the nagios_checkdisk_plugin_t domain.
246
247
248       Paths:
249            /usr/lib/nagios/plugins/check_disk,          /usr/lib/nagios/plug‐
250            ins/check_disk_smb,       /usr/lib/nagios/plugins/check_ide_smart,
251            /usr/lib/nagios/plugins/check_linux_raid
252
253
254       nagios_content_t
255
256       - Set files with the nagios_content_t type, if you want  to  treat  the
257       files as nagios content.
258
259
260
261       nagios_etc_t
262
263       -  Set  files  with  the nagios_etc_t type, if you want to store nagios
264       files in the /etc directories.
265
266
267       Paths:
268            /etc/icinga(/.*)?, /etc/nagios(/.*)?, /etc/pnp4nagios(/.*)?
269
270
271       nagios_eventhandler_plugin_exec_t
272
273       - Set files with the  nagios_eventhandler_plugin_exec_t  type,  if  you
274       want  to  transition  an executable to the nagios_eventhandler_plugin_t
275       domain.
276
277
278       Paths:
279            /usr/lib/icinga/plugins/eventhandlers(/.*),  /usr/lib/nagios/plug‐
280            ins/eventhandlers(/.*)
281
282
283       nagios_eventhandler_plugin_tmp_t
284
285       - Set files with the nagios_eventhandler_plugin_tmp_t type, if you want
286       to store nagios eventhandler plugin temporary files in the /tmp  direc‐
287       tories.
288
289
290
291       nagios_exec_t
292
293       -  Set  files with the nagios_exec_t type, if you want to transition an
294       executable to the nagios_t domain.
295
296
297       Paths:
298            /usr/bin/icinga, /usr/bin/nagios, /usr/sbin/icinga,  /usr/sbin/na‐
299            gios
300
301
302       nagios_htaccess_t
303
304       -  Set  files with the nagios_htaccess_t type, if you want to treat the
305       file as a nagios access file.
306
307
308
309       nagios_initrc_exec_t
310
311       - Set files with the nagios_initrc_exec_t type, if you want to  transi‐
312       tion an executable to the nagios_initrc_t domain.
313
314
315       Paths:
316            /etc/rc.d/init.d/nrpe, /etc/rc.d/init.d/nagios
317
318
319       nagios_log_t
320
321       -  Set  files with the nagios_log_t type, if you want to treat the data
322       as nagios log data, usually stored under the /var/log directory.
323
324
325       Paths:
326            /var/log/icinga(/.*)?,    /var/log/nagios(/.*)?,     /var/log/net‐
327            saint(/.*)?, /var/log/pnp4nagios(/.*)?
328
329
330       nagios_mail_plugin_exec_t
331
332       -  Set  files  with  the nagios_mail_plugin_exec_t type, if you want to
333       transition an executable to the nagios_mail_plugin_t domain.
334
335
336
337       nagios_openshift_plugin_exec_t
338
339       - Set files with the nagios_openshift_plugin_exec_t type, if  you  want
340       to transition an executable to the nagios_openshift_plugin_t domain.
341
342
343       Paths:
344            /usr/lib64/nagios/plugins/check_node_accept_status, /usr/lib64/na‐
345            gios/plugins/check_number_openshift_apps
346
347
348       nagios_openshift_plugin_tmp_t
349
350       - Set files with the nagios_openshift_plugin_tmp_t type, if you want to
351       store nagios openshift plugin temporary files in the /tmp directories.
352
353
354
355       nagios_ra_content_t
356
357       - Set files with the nagios_ra_content_t type, if you want to treat the
358       files as nagios read/append content.
359
360
361
362       nagios_rw_content_t
363
364       - Set files with the nagios_rw_content_t type, if you want to treat the
365       files as nagios read/write content.
366
367
368
369       nagios_script_exec_t
370
371       -  Set files with the nagios_script_exec_t type, if you want to transi‐
372       tion an executable to the nagios_script_t domain.
373
374
375       Paths:
376            /usr/lib/icinga/cgi(/.*)?,              /usr/lib/nagios/cgi(/.*)?,
377            /usr/lib/cgi-bin/nagios(/.+)?,      /usr/lib/nagios/cgi-bin(/.*)?,
378            /usr/lib/cgi-bin/netsaint(/.*)?
379
380
381       nagios_services_plugin_exec_t
382
383       - Set files with the nagios_services_plugin_exec_t type, if you want to
384       transition an executable to the nagios_services_plugin_t domain.
385
386
387       Paths:
388            /usr/lib(64)?/nagios/plugins/check_nt,  /usr/lib(64)?/nagios/plug‐
389            ins/check_dig,             /usr/lib(64)?/nagios/plugins/check_dns,
390            /usr/lib(64)?/nagios/plugins/check_rpc, /usr/lib(64)?/nagios/plug‐
391            ins/check_sip,             /usr/lib(64)?/nagios/plugins/check_ssh,
392            /usr/lib(64)?/nagios/plugins/check_tcp, /usr/lib(64)?/nagios/plug‐
393            ins/check_ups,            /usr/lib(64)?/nagios/plugins/check_dhcp,
394            /usr/lib(64)?/nagios/plugins/check_game,         /usr/lib(64)?/na‐
395            gios/plugins/check_hpjd,  /usr/lib(64)?/nagios/plugins/check_http,
396            /usr/lib(64)?/nagios/plugins/check_icmp,         /usr/lib(64)?/na‐
397            gios/plugins/check_ircd,  /usr/lib(64)?/nagios/plugins/check_ldap,
398            /usr/lib(64)?/nagios/plugins/check_nrpe,         /usr/lib(64)?/na‐
399            gios/plugins/check_ping,  /usr/lib(64)?/nagios/plugins/check_real,
400            /usr/lib(64)?/nagios/plugins/check_smtp,         /usr/lib(64)?/na‐
401            gios/plugins/check_time, /usr/lib(64)?/nagios/plugins/check_dummy,
402            /usr/lib(64)?/nagios/plugins/check_fping,        /usr/lib(64)?/na‐
403            gios/plugins/check_mysql,               /usr/lib(64)?/nagios/plug‐
404            ins/check_ntp.*,         /usr/lib(64)?/nagios/plugins/check_pgsql,
405            /usr/lib(64)?/nagios/plugins/check_breeze,       /usr/lib(64)?/na‐
406            gios/plugins/check_oracle,  /usr/lib(64)?/nagios/plugins/check_ra‐
407            dius, /usr/lib(64)?/nagios/plugins/check_snmp.*, /usr/lib(64)?/na‐
408            gios/plugins/check_cluster,             /usr/lib(64)?/nagios/plug‐
409            ins/check_mysql_query
410
411
412       nagios_spool_t
413
414       - Set files with the nagios_spool_t type, if you want to store the  na‐
415       gios files under the /var/spool directory.
416
417
418       Paths:
419            /var/spool/icinga(/.*)?, /var/spool/nagios(/.*)?
420
421
422       nagios_system_plugin_exec_t
423
424       -  Set  files with the nagios_system_plugin_exec_t type, if you want to
425       transition an executable to the nagios_system_plugin_t domain.
426
427
428       Paths:
429            /usr/lib(64)?/nagios/plugins/check_log, /usr/lib(64)?/nagios/plug‐
430            ins/check_load,           /usr/lib(64)?/nagios/plugins/check_mrtg,
431            /usr/lib(64)?/nagios/plugins/check_swap,         /usr/lib(64)?/na‐
432            gios/plugins/check_wave, /usr/lib(64)?/nagios/plugins/check_procs,
433            /usr/lib(64)?/nagios/plugins/check_users,        /usr/lib(64)?/na‐
434            gios/plugins/check_flexlm,  /usr/lib(64)?/nagios/plugins/check_na‐
435            gios, /usr/lib(64)?/nagios/plugins/check_nwstat, /usr/lib(64)?/na‐
436            gios/plugins/check_overcr, /usr/lib(64)?/nagios/plugins/check_sen‐
437            sors,                 /usr/lib(64)?/nagios/plugins/check_ifstatus,
438            /usr/lib(64)?/nagios/plugins/check_mrtgtraf,     /usr/lib(64)?/na‐
439            gios/plugins/check_ifoperstatus
440
441
442       nagios_system_plugin_tmp_t
443
444       - Set files with the nagios_system_plugin_tmp_t type, if  you  want  to
445       store nagios system plugin temporary files in the /tmp directories.
446
447
448
449       nagios_tmp_t
450
451       -  Set  files  with  the nagios_tmp_t type, if you want to store nagios
452       temporary files in the /tmp directories.
453
454
455
456       nagios_unconfined_plugin_exec_t
457
458       - Set files with the nagios_unconfined_plugin_exec_t type, if you  want
459       to transition an executable to the nagios_unconfined_plugin_t domain.
460
461
462
463       nagios_var_lib_t
464
465       -  Set  files  with the nagios_var_lib_t type, if you want to store the
466       nagios files under the /var/lib directory.
467
468
469       Paths:
470            /usr/lib/pnp4nagios(/.*)?, /var/lib/pnp4nagios(/.*)?
471
472
473       nagios_var_run_t
474
475       - Set files with the nagios_var_run_t type, if you want  to  store  the
476       nagios files under the /run or /var/run directory.
477
478
479
480       Note:  File context can be temporarily modified with the chcon command.
481       If you want to permanently change the file context you need to use  the
482       semanage fcontext command.  This will modify the SELinux labeling data‐
483       base.  You will need to use restorecon to apply the labels.
484
485

COMMANDS

487       semanage fcontext can also be used to manipulate default  file  context
488       mappings.
489
490       semanage  permissive  can  also  be used to manipulate whether or not a
491       process type is permissive.
492
493       semanage module can also be used to enable/disable/install/remove  pol‐
494       icy modules.
495
496       semanage boolean can also be used to manipulate the booleans
497
498
499       system-config-selinux is a GUI tool available to customize SELinux pol‐
500       icy settings.
501
502

AUTHOR

504       This manual page was auto-generated using sepolicy manpage .
505
506

SEE ALSO

508       selinux(8), nagios(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
509       icy(8),    setsebool(8),   nagios_admin_plugin_selinux(8),   nagios_ad‐
510       min_plugin_selinux(8),     nagios_checkdisk_plugin_selinux(8),      na‐
511       gios_checkdisk_plugin_selinux(8),                          nagios_even‐
512       thandler_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8),  na‐
513       gios_mail_plugin_selinux(8),     nagios_mail_plugin_selinux(8),     na‐
514       gios_openshift_plugin_selinux(8),   nagios_openshift_plugin_selinux(8),
515       nagios_script_selinux(8),     nagios_script_selinux(8),     nagios_ser‐
516       vices_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_sys‐
517       tem_plugin_selinux(8),  nagios_system_plugin_selinux(8),  nagios_uncon‐
518       fined_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
519
520
521
522nagios                             23-10-20                  nagios_selinux(8)
Impressum