I have been trying to get nagios up and running on 2 different machines. One running FC5 and one running FC6. Nagios itself starts up fine, but the web interface fails miserably.
When looking at /var/log/messages, I see things like: Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
I noticed in the selinux-policy-targeted Changelog:
* Wed Jul 26 2006 Dan Walsh dwalsh@redhat.com 2.3.3-13 - Add nagios policy
This may have been for the program itself or maybe the web interface, but it sure doesn't seem to be working for me.
Both systems are set to:
SELINUX=enforcing SELINUXTYPE=targeted SETLOCALDEFS=0
Anyone have any advice on how to fix this?
Thanks! Skadz
Ryan Skadberg wrote:
I have been trying to get nagios up and running on 2 different machines. One running FC5 and one running FC6. Nagios itself starts up fine, but the web interface fails miserably.
When looking at /var/log/messages, I see things like: Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Where is this file located? Looks like this needs a context like httpd_sys_content_t or httpd_sys_script_t.
chcon -R -t httpd_sys_content_t PATH_TO_DIR
I noticed in the selinux-policy-targeted Changelog:
- Wed Jul 26 2006 Dan Walsh dwalsh@redhat.com 2.3.3-13
- Add nagios policy
This may have been for the program itself or maybe the web interface, but it sure doesn't seem to be working for me.
Both systems are set to:
SELINUX=enforcing SELINUXTYPE=targeted SETLOCALDEFS=0
Anyone have any advice on how to fix this?
Thanks! Skadz
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Daniel J Walsh wrote:
Ryan Skadberg wrote:
I have been trying to get nagios up and running on 2 different machines. One running FC5 and one running FC6. Nagios itself starts up fine, but the web interface fails miserably.
When looking at /var/log/messages, I see things like: Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Where is this file located? Looks like this needs a context like httpd_sys_content_t or httpd_sys_script_t.
chcon -R -t httpd_sys_content_t PATH_TO_DIR
I just ran into the same problem on EPEL-5. It appears that the path for the nagios cgi scripts is wrong in /etc/selinux/targeted/contexts/files/file_contexts:
# grep nagios /etc/selinux/targeted/contexts/files/file_contexts /usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t:s0 [...]
This should be:
/usr/lib(64)?/nagios/cgi-bin/.+ --
--Wart
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Michael Thomas wrote:
Daniel J Walsh wrote:
Ryan Skadberg wrote:
I have been trying to get nagios up and running on 2 different machines. One running FC5 and one running FC6. Nagios itself starts up fine, but the web interface fails miserably.
When looking at /var/log/messages, I see things like: Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Where is this file located? Looks like this needs a context like httpd_sys_content_t or httpd_sys_script_t.
chcon -R -t httpd_sys_content_t PATH_TO_DIR
I just ran into the same problem on EPEL-5. It appears that the path for the nagios cgi scripts is wrong in /etc/selinux/targeted/contexts/files/file_contexts:
# grep nagios /etc/selinux/targeted/contexts/files/file_contexts /usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t:s0 [...]
This should be:
/usr/lib(64)?/nagios/cgi-bin/.+ --
--Wart
You can add this yourself for now. I will update the U2 selinux policy to fix this.
semodule fcontext -a -t nagios_cgi_exec_t \ "/usr/lib(64)?/nagios/cgi-bin/.+"
I've been seeing two other avc denials running nagios on RHEL5. As far as I can tell, they don't appear to be causing any problems in the application itself, and can probably be dontaudit'd:
type=AVC msg=audit(1189631147.313:467272): avc: denied { read write } for pid=14940 comm="status.cgi" name="[13034671]" dev=sockfs ino=13034671 scontext=user_u:system_r:nagios_cgi_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1189631147.514:467273): avc: denied { read } for pid=14972 comm="ping" name="nagios.cmd" dev=dm-0 ino=52887564 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_spool_t:s0 tclass=fifo_file
--Wart
selinux@lists.fedoraproject.org