Our environment requires us to have SELinux enabled for security reasons. With it enabled, I receive "Elasticsearch Database Offline" when trying to access the Nagios Logserver through a browser. Restarted the elasticsearch service yields the same result. Is it possible to have NagiosLS run
with SELinux enabled? - Thank you
Required to have SELinux enabled on NagiosLS
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Required to have SELinux enabled on NagiosLS
Hi @cjsGSb,
Presently, we don't have an official SELinux policy package for Nagios Log Server, and operating in enforcing mode is not supported as we don't develop and test with this enabled.
Let me know if you have any questions or comments.
Thanks.
Presently, we don't have an official SELinux policy package for Nagios Log Server, and operating in enforcing mode is not supported as we don't develop and test with this enabled.
Let me know if you have any questions or comments.
Thanks.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Required to have SELinux enabled on NagiosLS
Ok - looks like I was able to get around this somewhat using audit2allow.
So far so good
https://access.redhat.com/documentation ... udit2allow
Does Nagios plan on supporting SELinux in the future?
So far so good
https://access.redhat.com/documentation ... udit2allow
Does Nagios plan on supporting SELinux in the future?
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Required to have SELinux enabled on NagiosLS
Hi @cjsGSB,
Currently, it's not on the NLS roadmap and as far as future support, I don't really have a definite answer at this time.
Good to know, and appreciate any feedback on setting this up.Ok - looks like I was able to get around this somewhat using audit2allow.
So far so good
Currently, it's not on the NLS roadmap and as far as future support, I don't really have a definite answer at this time.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Required to have SELinux enabled on NagiosLS
Runnig a RHEL 6.9 VM
Needed to first install policycoreutils-python:
#yum install policycoreutils-python
Used the following as a guide to create the policy. My denial message dealt with httpd
The following example demonstrates using audit2allow to create a policy module:
1. A denial message and the associated system call are logged to the /var/log/audit/audit.log file:
2. type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
3.
4. type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)
In this example, certwatch was denied the write access to a directory labeled with the var_ttype. Analyze the denial message as per Section 10.10.3.7, “sealert Messages”. If no label changes or Booleans allowed access, use audit2allow to create a local policy module.
5. Run the following command to produce a human-readable description of why the access was denied. The audit2allow utility reads /var/log/audit/audit.log, and as such, must be run as the root user:
6. ~]# audit2allow -w -a
7. type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
8. Was caused by:
9. Missing type enforcement (TE) allow rule.
10.
11. You can use audit2allow to generate a loadable module to allow this access.
The -a command-line option causes all audit logs to be read. The -w option produces the human-readable description. As shown, access was denied due to a missing Type Enforcement rule.
12. Run the following command to view the Type Enforcement rule that allows the denied access:
13. ~]# audit2allow -a
14.
15.
16. #============= certwatch_t ==============
17. allow certwatch_t var_t:dir write;
Important
Missing Type Enforcement rules are usually caused by bugs in the SELinux policy, and should be reported in Red Hat Bugzilla. For Fedora, create bugs against the Fedoraproduct, and select the selinux-policy component. Include the output of the audit2allow -w -a and audit2allow -a commands in such bug reports.
18. To use the rule displayed by audit2allow -a, run the following command as root to create a custom module. The -M option creates a Type Enforcement file (.te) with the name specified with -M, in your current working directory:
19. ~]# audit2allow -a -M mycertwatch
20. ******************** IMPORTANT ***********************
21. To make this policy package active, execute:
22.
23. semodule -i mycertwatch.pp
24. Also, audit2allow compiles the Type Enforcement rule into a policy package (.pp):
25. ~]# ls
26. mycertwatch.pp mycertwatch.te
To install the module, run the following command as the root:
~]# semodule -i mycertwatch.pp
Important
Modules created with audit2allow may allow more access than required. It is recommended that policy created with audit2allow be posted to the upstream SELinux list for review. If you believe there is a bug in the policy, please create a bug in Red Hat Bugzilla.
If you have multiple denial messages from multiple processes, but only want to create a custom policy for a single process, use the grep utility to narrow down the input for audit2allow. The following example demonstrates using grep to only send denial messages related to certwatchthrough audit2allow:
~]# grep certwatch /var/log/audit/audit.log | audit2allow -R -M mycertwatch2
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i mycertwatch2.pp
Needed to first install policycoreutils-python:
#yum install policycoreutils-python
Used the following as a guide to create the policy. My denial message dealt with httpd
The following example demonstrates using audit2allow to create a policy module:
1. A denial message and the associated system call are logged to the /var/log/audit/audit.log file:
2. type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
3.
4. type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)
In this example, certwatch was denied the write access to a directory labeled with the var_ttype. Analyze the denial message as per Section 10.10.3.7, “sealert Messages”. If no label changes or Booleans allowed access, use audit2allow to create a local policy module.
5. Run the following command to produce a human-readable description of why the access was denied. The audit2allow utility reads /var/log/audit/audit.log, and as such, must be run as the root user:
6. ~]# audit2allow -w -a
7. type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
8. Was caused by:
9. Missing type enforcement (TE) allow rule.
10.
11. You can use audit2allow to generate a loadable module to allow this access.
The -a command-line option causes all audit logs to be read. The -w option produces the human-readable description. As shown, access was denied due to a missing Type Enforcement rule.
12. Run the following command to view the Type Enforcement rule that allows the denied access:
13. ~]# audit2allow -a
14.
15.
16. #============= certwatch_t ==============
17. allow certwatch_t var_t:dir write;
Important
Missing Type Enforcement rules are usually caused by bugs in the SELinux policy, and should be reported in Red Hat Bugzilla. For Fedora, create bugs against the Fedoraproduct, and select the selinux-policy component. Include the output of the audit2allow -w -a and audit2allow -a commands in such bug reports.
18. To use the rule displayed by audit2allow -a, run the following command as root to create a custom module. The -M option creates a Type Enforcement file (.te) with the name specified with -M, in your current working directory:
19. ~]# audit2allow -a -M mycertwatch
20. ******************** IMPORTANT ***********************
21. To make this policy package active, execute:
22.
23. semodule -i mycertwatch.pp
24. Also, audit2allow compiles the Type Enforcement rule into a policy package (.pp):
25. ~]# ls
26. mycertwatch.pp mycertwatch.te
To install the module, run the following command as the root:
~]# semodule -i mycertwatch.pp
Important
Modules created with audit2allow may allow more access than required. It is recommended that policy created with audit2allow be posted to the upstream SELinux list for review. If you believe there is a bug in the policy, please create a bug in Red Hat Bugzilla.
If you have multiple denial messages from multiple processes, but only want to create a custom policy for a single process, use the grep utility to narrow down the input for audit2allow. The following example demonstrates using grep to only send denial messages related to certwatchthrough audit2allow:
~]# grep certwatch /var/log/audit/audit.log | audit2allow -R -M mycertwatch2
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i mycertwatch2.pp
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Required to have SELinux enabled on NagiosLS
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!