Nagios Web Interface and SELinux
Ali Nebi
anebi at iguanait.com
Fri Aug 31 07:22:47 UTC 2007
On Thu, 2007-08-30 at 12:00 -0400,
fedora-selinux-list-request at redhat.com wrote:
> Send fedora-selinux-list mailing list submissions to
> fedora-selinux-list at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> or, via email, send a message with subject or body 'help' to
> fedora-selinux-list-request at redhat.com
>
> You can reach the person managing the list at
> fedora-selinux-list-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of fedora-selinux-list digest..."
>
>
> Today's Topics:
>
> 1. Re: Nagios Web Interface and SELinux (Michael Thomas)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 29 Aug 2007 15:37:18 -0700
> From: Michael Thomas <wart at kobold.org>
> Subject: Re: Nagios Web Interface and SELinux
> To: Daniel J Walsh <dwalsh at redhat.com>
> Cc: fedora-selinux-list at redhat.com
> Message-ID: <46D5F51E.20206 at kobold.org>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Daniel J Walsh wrote:
> > Ryan Skadberg wrote:
> >> I have been trying to get nagios up and running on 2 different
> >> machines. One running FC5 and one running FC6. Nagios itself starts
> >> up fine, but the web interface fails miserably.
> >>
> >> When looking at /var/log/messages, I see things like:
> >> Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied
> >> { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi"
> >> dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0
> >> tcontext=system_u:object_r:lib_t:s0 tclass=file
> >>
> > Where is this file located? Looks like this needs a context like
> > httpd_sys_content_t or httpd_sys_script_t.
> >
> >
> > chcon -R -t httpd_sys_content_t PATH_TO_DIR
>
> I just ran into the same problem on EPEL-5. It appears that the path
> for the nagios cgi scripts is wrong in
> /etc/selinux/targeted/contexts/files/file_contexts:
>
> # grep nagios /etc/selinux/targeted/contexts/files/file_contexts
> /usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t:s0
> [...]
>
> This should be:
>
> /usr/lib(64)?/nagios/cgi-bin/.+ --
>
> --Wart
>
>
>
> ------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> End of fedora-selinux-list Digest, Vol 42, Issue 32
> ***************************************************
Hi, i have installed nagios on fedora 6, and i have not problems with
selinux there.
I can tell you selinux contexts for some needed file, it looks work
fine. i don't get audit messages.
1. /etc/nagio - system_u:object_r:nagios_etc_t
2. [anebi at asgard ~]$ ls -Z /etc/nagios/
-rw-rw-r-- root root system_u:object_r:nagios_etc_t cgi.cfg
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t commands.cfg
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t
contactgroups.cfg
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t contacts.cfg
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t
hostgroups.cfg
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t hosts.cfg
-rw-r--r-- apache apache system_u:object_r:nagios_etc_t
htpasswd.users
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t nagios.cfg
-rw-r--r-- nagios nagios system_u:object_r:nrpe_etc_t nrpe.cfg
drwxr-x--- root nagios system_u:object_r:nagios_etc_t private
drw-r--r-- nagios nagios system_u:object_r:nagios_etc_t sample
drwxr-xr-x nagios nagios system_u:object_r:nagios_etc_t services
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t
timeperiods.cfg
3. [anebi at asgard ~]$ ls -Zd /usr/share/nagios/
drwxr-xr-x root root
system_u:object_r:usr_t /usr/share/nagios/
4. [anebi at asgard ~]$ ls -Z /usr/share/nagios/
drwxr-xr-x root root system_u:object_r:usr_t html
5. [anebi at asgard ~]$ ls -Z /usr/share/nagios/html/
drwxr-xr-x root root system_u:object_r:usr_t contexthelp
drwxr-xr-x root root system_u:object_r:usr_t docs
drwxr-xr-x root root system_u:object_r:usr_t images
-rw-r--r-- root root system_u:object_r:usr_t index.html
-rw-r--r-- root root system_u:object_r:usr_t main.html
drwxr-xr-x root root system_u:object_r:usr_t media
-rw-r--r-- root root system_u:object_r:usr_t robots.txt
-rw-r--r-- root root system_u:object_r:usr_t side.html
drwxr-xr-x root root system_u:object_r:usr_t ssi
drwxr-xr-x root root system_u:object_r:usr_t stylesheets
6. [anebi at asgard ~]$ ls -Zd /usr/lib64/nagios/
drwxr-xr-x root root
system_u:object_r:lib_t /usr/lib64/nagios/
7. [anebi at asgard ~]$ ls -Z /usr/lib64/nagios/
drwxr-xr-x root root system_u:object_r:lib_t cgi-bin
drwxr-xr-x root root system_u:object_r:bin_t plugins
8. [anebi at asgard ~]$ ls -Z /usr/lib64/nagios/cgi-bin/
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t avail.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t cmd.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t config.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t extinfo.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t histogram.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t history.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t
notifications.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t outages.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t showlog.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t status.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statusmap.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statuswml.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statuswrl.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t summary.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t tac.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t trends.cgi
9. [anebi at asgard ~]$ ls -Z /usr/lib64/nagios/plugins/
-rwxr-xr-x root root system_u:object_r:bin_t check_ackpoller
lrwxrwxrwx root root system_u:object_r:bin_t check_clamd ->
check_tcp
-rwsr-x--- root nagios system_u:object_r:bin_t check_dhcp
-rwxr-xr-x root root system_u:object_r:bin_t check_disk
lrwxrwxrwx root root system_u:object_r:bin_t check_ftp ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_http
-rwsr-xr-x root root system_u:object_r:bin_t check_ide_smart
lrwxrwxrwx root root system_u:object_r:bin_t check_imap ->
check_tcp
lrwxrwxrwx root root system_u:object_r:bin_t check_jabber ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t
check_linux_raid
-rwxr-xr-x root root system_u:object_r:bin_t check_load
-rwxr-xr-x root root system_u:object_r:bin_t check_nagios
lrwxrwxrwx root root system_u:object_r:bin_t check_nntp ->
check_tcp
lrwxrwxrwx root root system_u:object_r:bin_t check_nntps ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_nrpe
-rwxr-xr-x root root system_u:object_r:bin_t check_ping
lrwxrwxrwx root root system_u:object_r:bin_t check_pop ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_sensors
lrwxrwxrwx root root system_u:object_r:bin_t check_simap ->
check_tcp
lrwxrwxrwx root root system_u:object_r:bin_t check_spop ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_ssh
lrwxrwxrwx root root system_u:object_r:bin_t check_ssmtp ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_tcp
lrwxrwxrwx root root system_u:object_r:bin_t check_udp ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_users
drwxr-xr-x root root system_u:object_r:bin_t eventhandlers
-rwxr-xr-x root root system_u:object_r:bin_t negate
-rwxr-xr-x root root system_u:object_r:bin_t
notify_by_reliable
-rwxr-xr-x root root system_u:object_r:bin_t urlize
-rw-r--r-- root root system_u:object_r:bin_t utils.pm
-rwxr-xr-x root root system_u:object_r:bin_t utils.sh
10. [anebi at asgard ~]$ ls -Z /var/log/nagios/
drwxr-xr-x nagios nagios system_u:object_r:nagios_log_t archives
-rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t comments.dat
-rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t downtime.dat
-rw-r--r-- nagios nagios system_u:object_r:nagios_log_t nagios.log
-rw-r--r-- nagios nagios system_u:object_r:nagios_log_t objects.cache
-rw------- nagios nagios system_u:object_r:nagios_log_t retention.dat
-rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t status.dat
11. [anebi at asgard ~]$ ls -Z /var/run/nagios.pid
-rw-r--r-- nagios nagios
system_u:object_r:initrc_var_run_t /var/run/nagios.pid
I'm not sure about this, i think i had messages for this
Now our systems are running on permissive mode.
I hope that, this info can help you.
Regards, Ali Nebi!
More information about the fedora-selinux-list
mailing list