Nagios Web Interface and SELinux

Ali Nebi anebi at iguanait.com
Fri Aug 31 07:22:47 UTC 2007 

On Thu, 2007-08-30 at 12:00 -0400,
fedora-selinux-list-request at redhat.com wrote:
> Send fedora-selinux-list mailing list submissions to
> 	fedora-selinux-list at redhat.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> or, via email, send a message with subject or body 'help' to
> 	fedora-selinux-list-request at redhat.com
> 
> You can reach the person managing the list at
> 	fedora-selinux-list-owner at redhat.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of fedora-selinux-list digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Nagios Web Interface and SELinux (Michael Thomas)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 29 Aug 2007 15:37:18 -0700
> From: Michael Thomas <wart at kobold.org>
> Subject: Re: Nagios Web Interface and SELinux
> To: Daniel J Walsh <dwalsh at redhat.com>
> Cc: fedora-selinux-list at redhat.com
> Message-ID: <46D5F51E.20206 at kobold.org>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Daniel J Walsh wrote:
> > Ryan Skadberg wrote:
> >> I have been trying to get nagios up and running on 2 different
> >> machines.  One running FC5 and one running FC6.  Nagios itself starts
> >> up fine, but the web interface fails miserably.
> >>
> >> When looking at /var/log/messages, I see things like:
> >> Dec  3 11:38:17 xray kernel: audit(1165174697.348:289): avc:  denied
> >> { execute_no_trans } for  pid=22237 comm="httpd" name="tac.cgi"
> >> dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0
> >> tcontext=system_u:object_r:lib_t:s0 tclass=file
> >>
> > Where is this file located?  Looks like this needs a context like
> > httpd_sys_content_t or httpd_sys_script_t.
> > 
> > 
> > chcon -R  -t httpd_sys_content_t PATH_TO_DIR
> 
> I just ran into the same problem on EPEL-5.  It appears that the path
> for the nagios cgi scripts is wrong in
> /etc/selinux/targeted/contexts/files/file_contexts:
> 
> # grep nagios /etc/selinux/targeted/contexts/files/file_contexts
> /usr/lib(64)?/nagios/cgi/.+ --      system_u:object_r:nagios_cgi_exec_t:s0
> [...]
> 
> This should be:
> 
> /usr/lib(64)?/nagios/cgi-bin/.+ --
> 
> --Wart
> 
> 
> 
> ------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> End of fedora-selinux-list Digest, Vol 42, Issue 32
> ***************************************************

Hi, i have installed nagios on fedora 6, and i have not problems with
selinux there.

I can tell you selinux contexts for some needed file, it looks work
fine. i don't get audit messages.

1. /etc/nagio - system_u:object_r:nagios_etc_t
2. [anebi at asgard ~]$ ls -Z /etc/nagios/
-rw-rw-r--  root   root   system_u:object_r:nagios_etc_t   cgi.cfg
-rw-r--r--  nagios nagios system_u:object_r:nagios_etc_t   commands.cfg
-rw-r--r--  nagios nagios system_u:object_r:nagios_etc_t
contactgroups.cfg
-rw-r--r--  nagios nagios system_u:object_r:nagios_etc_t   contacts.cfg
-rw-r--r--  nagios nagios system_u:object_r:nagios_etc_t
hostgroups.cfg
-rw-r--r--  nagios nagios system_u:object_r:nagios_etc_t   hosts.cfg
-rw-r--r--  apache apache system_u:object_r:nagios_etc_t
htpasswd.users
-rw-r--r--  nagios nagios system_u:object_r:nagios_etc_t   nagios.cfg
-rw-r--r--  nagios nagios system_u:object_r:nrpe_etc_t     nrpe.cfg
drwxr-x---  root   nagios system_u:object_r:nagios_etc_t   private
drw-r--r--  nagios nagios system_u:object_r:nagios_etc_t   sample
drwxr-xr-x  nagios nagios system_u:object_r:nagios_etc_t   services
-rw-r--r--  nagios nagios system_u:object_r:nagios_etc_t
timeperiods.cfg

3. [anebi at asgard ~]$ ls -Zd /usr/share/nagios/
drwxr-xr-x  root root
system_u:object_r:usr_t          /usr/share/nagios/

4. [anebi at asgard ~]$ ls -Z /usr/share/nagios/
drwxr-xr-x  root root system_u:object_r:usr_t          html

5. [anebi at asgard ~]$ ls -Z /usr/share/nagios/html/
drwxr-xr-x  root root system_u:object_r:usr_t          contexthelp
drwxr-xr-x  root root system_u:object_r:usr_t          docs
drwxr-xr-x  root root system_u:object_r:usr_t          images
-rw-r--r--  root root system_u:object_r:usr_t          index.html
-rw-r--r--  root root system_u:object_r:usr_t          main.html
drwxr-xr-x  root root system_u:object_r:usr_t          media
-rw-r--r--  root root system_u:object_r:usr_t          robots.txt
-rw-r--r--  root root system_u:object_r:usr_t          side.html
drwxr-xr-x  root root system_u:object_r:usr_t          ssi
drwxr-xr-x  root root system_u:object_r:usr_t          stylesheets

6. [anebi at asgard ~]$ ls -Zd /usr/lib64/nagios/
drwxr-xr-x  root root
system_u:object_r:lib_t          /usr/lib64/nagios/

7. [anebi at asgard ~]$ ls -Z /usr/lib64/nagios/
drwxr-xr-x  root root system_u:object_r:lib_t          cgi-bin
drwxr-xr-x  root root system_u:object_r:bin_t          plugins

8. [anebi at asgard ~]$ ls -Z /usr/lib64/nagios/cgi-bin/
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t avail.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t cmd.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t config.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t extinfo.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t histogram.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t history.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t
notifications.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t outages.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t showlog.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t status.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t statusmap.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t statuswml.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t statuswrl.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t summary.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t tac.cgi
-rwxr-xr-x  root root system_u:object_r:nagios_cgi_exec_t trends.cgi

9. [anebi at asgard ~]$ ls -Z /usr/lib64/nagios/plugins/
-rwxr-xr-x  root root   system_u:object_r:bin_t          check_ackpoller
lrwxrwxrwx  root root   system_u:object_r:bin_t          check_clamd ->
check_tcp
-rwsr-x---  root nagios system_u:object_r:bin_t          check_dhcp
-rwxr-xr-x  root root   system_u:object_r:bin_t          check_disk
lrwxrwxrwx  root root   system_u:object_r:bin_t          check_ftp ->
check_tcp
-rwxr-xr-x  root root   system_u:object_r:bin_t          check_http
-rwsr-xr-x  root root   system_u:object_r:bin_t          check_ide_smart
lrwxrwxrwx  root root   system_u:object_r:bin_t          check_imap ->
check_tcp
lrwxrwxrwx  root root   system_u:object_r:bin_t          check_jabber ->
check_tcp
-rwxr-xr-x  root root   system_u:object_r:bin_t
check_linux_raid
-rwxr-xr-x  root root   system_u:object_r:bin_t          check_load
-rwxr-xr-x  root root   system_u:object_r:bin_t          check_nagios
lrwxrwxrwx  root root   system_u:object_r:bin_t          check_nntp ->
check_tcp
lrwxrwxrwx  root root   system_u:object_r:bin_t          check_nntps ->
check_tcp
-rwxr-xr-x  root root   system_u:object_r:bin_t          check_nrpe
-rwxr-xr-x  root root   system_u:object_r:bin_t          check_ping
lrwxrwxrwx  root root   system_u:object_r:bin_t          check_pop ->
check_tcp
-rwxr-xr-x  root root   system_u:object_r:bin_t          check_sensors
lrwxrwxrwx  root root   system_u:object_r:bin_t          check_simap ->
check_tcp
lrwxrwxrwx  root root   system_u:object_r:bin_t          check_spop ->
check_tcp
-rwxr-xr-x  root root   system_u:object_r:bin_t          check_ssh
lrwxrwxrwx  root root   system_u:object_r:bin_t          check_ssmtp ->
check_tcp
-rwxr-xr-x  root root   system_u:object_r:bin_t          check_tcp
lrwxrwxrwx  root root   system_u:object_r:bin_t          check_udp ->
check_tcp
-rwxr-xr-x  root root   system_u:object_r:bin_t          check_users
drwxr-xr-x  root root   system_u:object_r:bin_t          eventhandlers
-rwxr-xr-x  root root   system_u:object_r:bin_t          negate
-rwxr-xr-x  root root   system_u:object_r:bin_t
notify_by_reliable
-rwxr-xr-x  root root   system_u:object_r:bin_t          urlize
-rw-r--r--  root root   system_u:object_r:bin_t          utils.pm
-rwxr-xr-x  root root   system_u:object_r:bin_t          utils.sh

10. [anebi at asgard ~]$ ls  -Z /var/log/nagios/
drwxr-xr-x  nagios nagios system_u:object_r:nagios_log_t   archives
-rw-rw-r--  nagios nagios system_u:object_r:nagios_log_t   comments.dat
-rw-rw-r--  nagios nagios system_u:object_r:nagios_log_t   downtime.dat
-rw-r--r--  nagios nagios system_u:object_r:nagios_log_t   nagios.log
-rw-r--r--  nagios nagios system_u:object_r:nagios_log_t   objects.cache
-rw-------  nagios nagios system_u:object_r:nagios_log_t   retention.dat
-rw-rw-r--  nagios nagios system_u:object_r:nagios_log_t   status.dat

11. [anebi at asgard ~]$ ls -Z /var/run/nagios.pid 
-rw-r--r--  nagios nagios
system_u:object_r:initrc_var_run_t /var/run/nagios.pid

I'm not sure about this, i think i had messages for this

Now our systems are running on permissive mode. 

I hope that, this info can help you.

Regards, Ali Nebi!

More information about the fedora-selinux-list mailing list