Nagios nrpe and sudo
Daniel J Walsh
dwalsh at redhat.com
Tue Jan 31 21:50:54 UTC 2006
Stephen Smalley wrote:
> On Tue, 2006-01-31 at 07:12 -0500, Stephen Smalley wrote:
>
>> On Mon, 2006-01-30 at 22:19 +0000, Martin Ebourne wrote:
>>
>>> Further to this, I note that I don't even need the
>>> inetd_child_disable_trans boolean set now. By default nrpe running under
>>> xinetd is allowed to sudo. Should this not be controlled?
>>>
>>> What protection does running xinetd under selinux give?
>>>
>> IIRC, the default targeted policy in Fedora leaves inetd children who do
>> not have a specific domain defined for them unconfined, as otherwise all
>> external (outside of Fedora) inetd-based services that lack policy would
>> immediately break. The strict policy takes the more conservative
>> approach for security, at the risk of greater application breakage.
>>
>
> Ah, sorry, but your point was that nrpe should be confined since it has
> policy. However, it appears that the nagios and nrpe policies aren't
> being built as part of the Fedora policy at present.
>
>
Those would be good candidates for loadable modules.
More information about the fedora-selinux-list
mailing list