[refpolicy] Using nagios with SELinux on Debian

[refpolicy] Using nagios with SELinux on Debian

[Gereon Kremer]

Hi all,

I'm trying to use nagios on a debian with SELinux.
Although there is a nagios policy, there are various avc denials, mostly
plugins that are denied to access /var/lib/nagios3/spool/

I looked through the nagios policy and it seems that some things are
just incomplete:
There are several classes of plugins (admin, checkdisk, mail. services,
system, unconfined) but they all try to access the same spool folder and
there are no rules to allow this access: Neither rules that allow all
plugins to access a specific file class, nor a rule that labels the
spool folder. (there is a rule for /var/spool/nagios3/, but this folder
does not exist on my machine...)
Also, the webserver (apache in my case) tries to access cache files
which is not allows by the nagios policy...

What is the status of this policy? Should it actually work? Or is it
just broken for debian?

-- 
Gereon Kremer
Lehr- und Forschungsgebiet Theorie Hybrider Systeme
RWTH Aachen
Tel: +49 241 80 21243

[refpolicy] Using nagios with SELinux on Debian

[Mika Pflüger]

Hi,

Gereon Kremer <gereon.kremer@cs.rwth-aachen.de> wrote:
> I'm trying to use nagios on a debian with SELinux.
> Although there is a nagios policy, there are various avc denials,
> mostly plugins that are denied to access /var/lib/nagios3/spool/
> 
> I looked through the nagios policy and it seems that some things are
> just incomplete:
> There are several classes of plugins (admin, checkdisk, mail.
> services, system, unconfined) but they all try to access the same
> spool folder and there are no rules to allow this access: Neither
> rules that allow all plugins to access a specific file class, nor a
> rule that labels the spool folder. (there is a rule
> for /var/spool/nagios3/, but this folder does not exist on my
> machine...) Also, the webserver (apache in my case) tries to access
> cache files which is not allows by the nagios policy...
> 
> What is the status of this policy? Should it actually work? Or is it
> just broken for debian?

Your analysis is most likely correct; there are quite some bugs in the
debian policy and refpolicy. If you want to chase them, it is always
helpful to check the differences between debian policy [1], upstream
refpolicy [2] and fedora policy [3], often fedora already contains
fixes which could be polished + pushed upstream from where they'll
tickle down into the debian policy.
If you don't intent to chase the policy bugs yourself you can also
report a bug against the debian refpolicy package, but at the moment we
(the debian selinux team) have some more pressing issues, so a bug
about nagios might take us a release or two (yes, that's 5 years) until
we get around to looking at it if it doesn't come with patches.

Cheers,

Mika

[1] git://anonscm.debian.org/selinux/refpolicy.git
[2] http://oss.tresys.com/git/refpolicy.git
[3] http://git.fedorahosted.org/git/selinux-policy.git

-- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140521/3801b1ad/attachment.bin 

[refpolicy] Using nagios with SELinux on Debian

[Russell Coker]

One thing I have been planning is a Debian SE Linux test network using example.com domains.  If you could help me setup a Nagios virtual machine then that would be really good.  I'll write the policy if you configure Nagios.

Contact me off list if you want to do this.
-- 
Sent from my Samsung Galaxy Note 2 with K-9 Mail.