Now that Nagios has upgraded to v3, I'm going to revisit my SELinux configuration for it. Back when I first started I was somewhat clueless about SELinux (and still greatly so) and I created a lot of really bad policy modules. They were a brute-force approach to fixing the issue using only audit2allow and ignoring labeling issues in the underlying filesystem.
(See my older piece "SELinux - troubleshooting file labeling issues".)
First off, let's use semodule to take a look at what modules are loaded:
# semodule -l | grep "nagios"
nagios 1.1.0
nagios20080426 1.0
nagios20080522 1.0
nagios20080725 1.0What you see here is the base nagios module as provided by RedHat/CentOS (nagios 1.1.0) along with three modules that I created using audit2allow. The contents of those modules are pretty immaterial, so I'm going to remove them and recreate the exceptions from scratch.
# semodule -r nagios20080426
# semodule -r nagios20080522
# semodule -r nagios20080725Now, if I were to startup Nagios right now, it would throw a lot of errors because I have SELinux set to Enforcing mode at the moment. So what we're going to do is temporarily put SELinux in "permissive" mode instead of "enforcing" mode. This will cause SELinux to log AVC denial messages to /var/log/audit/audit.log where we can look at them and use audit2allow to create a better exception policy.
# getenforce
Enforcing
# setenforce Permissive
# getenforce
PermissiveNow we can startup Nagios, taking careful note of the time.
Posts
No comments:
Post a Comment