While there are several loose HOWTOs to get Nagios up-and-running on Centos 4.x based systems with SELinux disabled. (ref for example http://wiki.centos.org/HowTos/Nagios) The concern I faced when reading them was that all guides I have found advised there were SELinux issues and the easiest course of action was simply to turn SELinux off. There are several issues with the Apache CGI pages and other Nagios files. For those of us wanting to use Nagios in an environment where the use of SELinux is mandatory, we were more or less left hanging. This blog post serves as a compliment to the existing guides, outlining the configuration and other modifications required to run Nagios with SELinux.
First off, suggesting that SELinux should be turned off is poor advice. Sometimes it’s not an option – a pubic facing hardened server might have be running SELinux as a security requirement as part of your environment’s security policy. In other instances, it’s just plain silly to turn something as handy as SELinux off. While SELinux can be a curse making troubleshooting more difficult, it really is fairly straight forward to modify settings in order to allow a program to run unhindered. So how do we go about modifying our configuration to enable Nagios-related bits to play nicely in the SELinux sandbox?
- Adjust CHCON types on CGI scripts and other Nagios files so they can be executed in SELinux boxed Apache processes (using chcon)
- Set appropriate permissions on files used by both the Nagios daemon and the web-based console (a few chmod’s/chown’s here and there)
- Modify SELinux local policy to allow access to particular files and operations (using audit2allow)
Requirements
- A working Nagios installation.
- Root access to a console.
- SELinux targeted policy source files.
So let’s get cracking…
Install Nagios by following a guide. I recommend using the DAG YUM repository (ref http://dag.wieers.com/rpm/). Ensure your configuration files are set up correctly and ensure you can run nagios –v /etc/nagios/nagios.cfg and you don’t have any errors.
Total Warnings: 0
Total Errors: 0
If you were to then start Nagios and browse to the Nagios console website on your server, the homepage would show up but very little else will work. There are a few things we need to now do:
# chcon -R -t httpd_sys_script_exec_t /usr/lib64/nagios/cgi
(If you are working on a 32-bit machine, substitute lib64 for lib.)
This will allow Apache to execute the Nagios console CGI scripts.
# touch /var/nagios/status.datls -l
# chcon -R -t httpd_sys_content_t /var/nagios
This modifies some Nagios temporary files that are used by the CGI scripts.
# chcon -R –t httpd_sys_content /etc/nagios
This modifies the Nagios configuration files so they can be read by the CGI scripts.
# touch /var/log/nagios/nagios.log
# chcon –R –t httpd_sys_content_t /var/log/nagios
This modifies the Nagios log files so they can be read by the CGI scripts.
Ok well that should do… but it doesn’t! If you were to now fire up the Nagios service and hit the console, the various pages should work fine – however none of the service history or statistics will work. This information is collated from the Nagios log file. At this stage you’d think it would work as we have allowed Apache to access the log files by setting the httpd_sys_content_t attribute on the log file.
If you were to do a # tail /var/log/messages at the console a warning message would be recorded in the audit security log, referring to { getattr } of /var/log/nagios/nagios.log. Oddly enough, SELinux policy prevents Apache from checking the attributes of a file. So how do we resolve this? We need to modify our SELinux policy.
# yum install selinux-policy-targeted-sources
# cd /etc/selinux/targeted/src/policy/domains/misc
See if a file called local.te exists. If it does, make a backup of this file before proceeding
# mkdir unused
# cp local.te unused
Now we run an obscure utility to generate us a file to include in our SELinux policy –
# audit2allow –d –l –o local.te
If we then cat this file, its contents may be varied but the important line will be
allow httpd_sys_script_t httpd_sys_script_exec_t:fifo_file getattr;
There should not be too much else in the file, unless you have a highly customised system and other programs you have installed are having difficulty with the SELinux policy.
Now we rebuild our SELinux policy including our new local.te file:
# cd /etc/selinux/targeted/src/policy
# make load
A large amount of unimportant text will be displayed on screen, the important text to watch for is at the end:
/usr/bin/checkpolicy: policy configuration loaded
/usr/bin/checkpolicy: writing binary representation (version 18) to /etc/selinux/targeted/policy/policy.18
/usr/sbin/load_policy /etc/selinux/targeted/policy/policy.18
touch tmp/load
If you have errors, then there was something wrong with your local.te file we created above.
Now start Nagios again, and hit your Nagios console website. Everything should be working well, you’re good to go. Questions or comments are welcome. If you are having difficulty with Nagios after this, then I suggest you could turn SELinux off temporarily:
#setenfoce 0
Try the Nagios console again. If it continues to fail, there is something wrong with your Nagios/Apache configuration. If the Nagios console works, troubleshoot by # tail /var/log/messages and see what other audit messages are included. If, for example, you did not install Nagios from the DAG repository then your configuration files among other things may be in alternative locations and you will need to make appropriate modifications to my console commands above.
[end of line]
