Need your help in setting Nagios/SELinux correctly.
Posted: Tue Jan 10, 2012 10:06 am
Greetings to all!
I installed Nagios Core 3.31seeingly without any errors on Fedora 15. I just noticed some errors generated by SELinux but I'm unsure as to the correct way to proceed and would appreciate your input. I navigated to: /usr/local/nagios/var/spool/checkresults and found no "checkDNxKVV"
If you want to allow ping to have read write access on the checkDNxKVV file:
You need to change the label on /usr/local/nagios/var/spool/checkresults/checkDNxKVV
# semanage fcontext -a -t FILE_TYPE '/usr/local/nagios/var/spool/checkresults/checkDNxKVV'
where FILE_TYPE is one of the following: nagios_tmp_t, user_cron_spool_t, afs_cache_t, ping_t.
Then execute: restorecon -v '/usr/local/nagios/var/spool/checkresults/checkDNxKVV'
If you want to ignore ping trying to read write access the checkDNxKVV file because you believe it should not need this access:
You should report this as a bug.
You can generate a local policy module to dontaudit this access.
# grep /bin/ping /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
If you believe that ping should be allowed read write access on the checkDNxKVV file by default:
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep ping /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
If you believe that cmd.cgi should be allowed getattr access on the nagios.cmd fifo_file by default:
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep cmd.cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
I would appreciate any information to help me get this working properly without creating any security holes.
Regards,
I installed Nagios Core 3.31seeingly without any errors on Fedora 15. I just noticed some errors generated by SELinux but I'm unsure as to the correct way to proceed and would appreciate your input. I navigated to: /usr/local/nagios/var/spool/checkresults and found no "checkDNxKVV"
If you want to allow ping to have read write access on the checkDNxKVV file:
You need to change the label on /usr/local/nagios/var/spool/checkresults/checkDNxKVV
# semanage fcontext -a -t FILE_TYPE '/usr/local/nagios/var/spool/checkresults/checkDNxKVV'
where FILE_TYPE is one of the following: nagios_tmp_t, user_cron_spool_t, afs_cache_t, ping_t.
Then execute: restorecon -v '/usr/local/nagios/var/spool/checkresults/checkDNxKVV'
If you want to ignore ping trying to read write access the checkDNxKVV file because you believe it should not need this access:
You should report this as a bug.
You can generate a local policy module to dontaudit this access.
# grep /bin/ping /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
If you believe that ping should be allowed read write access on the checkDNxKVV file by default:
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep ping /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
If you believe that cmd.cgi should be allowed getattr access on the nagios.cmd fifo_file by default:
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep cmd.cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
I would appreciate any information to help me get this working properly without creating any security holes.
Regards,