Bug 1291734

Summary: nagios 4.0.8 fails to start with a "permission denied" error if SELinux is enabled
Product: [Fedora] Fedora EPEL Reporter: Lenz Grimmer <lenz>
Component: nagiosAssignee: Scott Wilkerson <swilkerson>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: 9dnmlarl, affix, cfeller, jose.p.oliveira.oss, lemenkov, mfischer, nb, ondrejj, pmonfette, redhat, shawn.starr, s, stephen, swilkerson, vdanek, wfoster
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: nagios-4.0.8-2.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-21 04:39:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lenz Grimmer 2015-12-15 14:03:46 UTC 
Description of problem:

This is a followup to BUG#1291718. The workaround described in there to manually create /var/log/nagios/rw or to change the query_socket location defined in /etc/nagios/nagios.cfg to a different path like /var/run/nagios/nagios.qh only works, if SELinux is enabled. In case SELinux is set to "Enforcing", it will prevent the socket creation, as the nagios policy file does not seem to grant this privilege.

How to repeat:

[root@centospkgtest ~]# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 
[root@centospkgtest ~]# rpm -q nagios
nagios-4.0.8-1.el7.x86_64
[root@centospkgtest ~]# setenforce Enforcing
[root@centospkgtest ~]# getenforce
Enforcing
[root@centospkgtest ~]# install -d -m 755 -o nagios -g nagios /var/log/nagios/rw
[root@centospkgtest ~]# ls -ld /var/log/nagios/rw
drwxr-xr-x. 2 nagios nagios 6 Dec 15 14:36 /var/log/nagios/rw
[root@centospkgtest ~]# systemctl start nagios
[root@centospkgtest ~]# systemctl status nagios
● nagios.service - Nagios Network Monitoring
   Loaded: loaded (/usr/lib/systemd/system/nagios.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2015-12-15 14:52:47 CET; 5s ago
     Docs: http://www.nagios.org/documentation
  Process: 1716 ExecStart=/usr/sbin/nagios /etc/nagios/nagios.cfg (code=exited, status=1/FAILURE)
  Process: 1714 ExecStartPre=/usr/sbin/nagios -v /etc/nagios/nagios.cfg (code=exited, status=0/SUCCESS)
 Main PID: 1716 (code=exited, status=1/FAILURE)

Dec 15 14:52:47 centospkgtest systemd[1]: Starting Nagios Network Monitoring...
Dec 15 14:52:47 centospkgtest systemd[1]: Started Nagios Network Monitoring.
Dec 15 14:52:47 centospkgtest nagios[1716]: Nagios 4.0.8 starting... (PID=1716)
Dec 15 14:52:47 centospkgtest systemd[1]: nagios.service: main process exite...E
Dec 15 14:52:47 centospkgtest systemd[1]: Unit nagios.service entered failed....
Dec 15 14:52:47 centospkgtest systemd[1]: nagios.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@centospkgtest ~]# cat /var/log/nagios/nagios.log 
[1450187567] Nagios 4.0.8 starting... (PID=1716)
[1450187567] Local time is Tue Dec 15 14:52:47 CET 2015
[1450187567] LOG VERSION: 2.0
[1450187567] qh: Failed to init socket '/var/log/nagios/rw/nagios.qh'. bind() failed: Permission denied
[1450187567] Error: Failed to initialize query handler. Aborting
[root@centospkgtest ~]# tail -n4 /var/log/audit/audit.log 
type=SERVICE_START msg=audit(1450187567.192:589): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nagios comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1450187567.198:590): avc:  denied  { create } for  pid=1716 comm="nagios" name="nagios.qh" scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1450187567.198:590): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7ffdb9ecd670 a2=1e a3=676f6c2f7261762f items=0 ppid=1 pid=1716 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="nagios" exe="/usr/sbin/nagios" subj=system_u:system_r:nagios_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1450187567.199:591): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nagios comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
[root@centospkgtest ~]# tail -n4 /var/log/audit/audit.log | audit2allow nagios-socket -M nagios-socket
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i nagios-socket.pp

[root@centospkgtest ~]# cat nagios-socket.te 

module nagios-socket 1.0;

require {
	type nagios_t;
	type nagios_log_t;
	class sock_file create;
}

#============= nagios_t ==============
allow nagios_t nagios_log_t:sock_file create;
[root@centospkgtest ~]# semodule -i nagios-socket.pp 
[root@centospkgtest ~]# rm /var/log/nagios/nagios.log 
rm: remove regular file ‘/var/log/nagios/nagios.log’? y
[root@centospkgtest ~]# systemctl start nagios
[root@centospkgtest ~]# systemctl status nagios
● nagios.service - Nagios Network Monitoring
   Loaded: loaded (/usr/lib/systemd/system/nagios.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2015-12-15 14:59:33 CET; 6s ago
     Docs: http://www.nagios.org/documentation
  Process: 1774 ExecStartPre=/usr/sbin/nagios -v /etc/nagios/nagios.cfg (code=exited, status=0/SUCCESS)
 Main PID: 1776 (nagios)
   CGroup: /system.slice/nagios.service
           ├─1776 /usr/sbin/nagios /etc/nagios/nagios.cfg
           └─1784 /usr/sbin/nagios /etc/nagios/nagios.cfg

Dec 15 14:59:33 centospkgtest nagios[1776]: nerd: Fully initialized and read...!
Dec 15 14:59:33 centospkgtest nagios[1776]: wproc: Successfully registered m...r
Dec 15 14:59:33 centospkgtest nagios[1776]: Failed to connect to query socke...d
Dec 15 14:59:33 centospkgtest nagios[1776]: Failed to connect to query socke...d
Dec 15 14:59:33 centospkgtest nagios[1776]: Failed to connect to query socke...d
Dec 15 14:59:33 centospkgtest nagios[1776]: Failed to connect to query socke...d
Dec 15 14:59:35 centospkgtest nagios[1776]: Successfully launched command fi...4
Dec 15 14:59:35 centospkgtest nagios[1776]: Unable to send check for host 'c...)
Dec 15 14:59:35 centospkgtest nagios[1776]: Successfully launched command fi...4
Dec 15 14:59:35 centospkgtest nagios[1776]: Unable to send check for host 'c...)
Hint: Some lines were ellipsized, use -l to show in full.
[root@centospkgtest ~]# cat /var/log/nagios/nagios.log 
[1450187973] Nagios 4.0.8 starting... (PID=1776)
[1450187973] Local time is Tue Dec 15 14:59:33 CET 2015
[1450187973] LOG VERSION: 2.0
[1450187973] qh: Socket '/var/log/nagios/rw/nagios.qh' successfully initialized
[1450187973] qh: core query handler registered
[1450187973] nerd: Channel hostchecks registered successfully
[1450187973] nerd: Channel servicechecks registered successfully
[1450187973] nerd: Channel opathchecks registered successfully
[1450187973] nerd: Fully initialized and ready to rock!
[1450187973] wproc: Successfully registered manager as @wproc with query handler
[1450187975] Successfully launched command file worker with pid 1784

The existing nagios SELinux Policy should be updated to grant permission to create a socket file. Preferrably, the socket should be created in /var/run/nagios (see BUG#1291718 for the proposal) and the policy should be created accordingly.
Comment 1 Lenz Grimmer 2015-12-15 14:11:19 UTC 
This policy file is more complete (assuming the built-in default socket file location):

module nagios-socket 1.0;

require {
        type nagios_t;
        type nagios_log_t;
        class sock_file { write create unlink };
}

#============= nagios_t ==============

#!!!! This avc is allowed in the current policy
allow nagios_t nagios_log_t:sock_file create;
allow nagios_t nagios_log_t:sock_file { write unlink };
Comment 2 Patrick Monfette 2015-12-21 10:27:41 UTC 
Hello,

This was not enough for me in order to get Nagios fully working.

I had to create the rw folder and give it the right permissions because of this error:

Dec 21 04:43:19 dpdell nagios: qh: Failed to init socket '/var/log/nagios/rw/nagios.qh'. bind() failed: No such file or directory

Folder and selinux perms:

# sudo -u nagios mkdir /var/log/nagios/rw/
# chcon system_u:object_r:nagios_log_t:s0 rw

Then I got all the below errors on start and restart (unable to connect to socket and also unable to unlink):

Dec 21 05:07:14 dpdell nagios: Failed to connect to query socket '/var/log/nagios/rw/nagios.qh': connect() failed: Permission denied
Dec 21 05:07:40 dpdell nagios: qh: Failed to init socket '/var/log/nagios/rw/nagios.qh'. unlink() failed: Permission denied

So I ended up having this in order to fix it:

module nagios-socket 1.0;

require {
	type nagios_t;
	type nagios_log_t;
	class sock_file { write create unlink };
	class unix_stream_socket connectto;
}

#============= nagios_t ==============

#!!!! This avc is allowed in the current policy
allow nagios_t nagios_log_t:sock_file { write create unlink };

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow nagios_t self:unix_stream_socket connectto;
Comment 3 Stephen M 2015-12-25 04:44:39 UTC 
The previous post's policy file worked for me.
Comment 4 Fedora Update System 2015-12-30 02:27:55 UTC 
nagios-4.0.8-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-eed09b5974
Comment 5 Fedora Update System 2016-01-01 04:21:01 UTC 
nagios-4.0.8-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-eed09b5974
Comment 6 Fedora Update System 2016-01-21 04:38:58 UTC 
nagios-4.0.8-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Will Foster 2016-07-04 07:36:43 UTC 
This still occurs as of 2016-07-04, further the /var/log/nagios/rw/nagios.qh file does not cleanup after itself on daemon restart.

Details:
--------
CentOS or RHEL 7.2
selinux-policy-3.13.1-60.el7_2.7.noarch
selinux-policy-targeted-3.13.1-60.el7_2.7.noarch
nagios-4.0.8-2.el7.x86_64

== Workaround ==

1) to fix the SELinux settings I applied the following to:
/var/log/nagios/rw/nagios.qh

seuser = system_u
user = nagios
group = nagios
mode = 0777

This was done via:
https://github.com/sadsfae/ansible-nagios/blob/master/install/roles/nagios/tasks/main.yml#L102

2) to fix the daemon restart issue I modified the Nagios systemd unit file to append removing /var/log/nagios/rw/nagios.qh on ExecStopPost.  I accomplished this again via Ansible here:

https://github.com/sadsfae/ansible-nagios/blob/master/install/roles/nagios/tasks/main.yml#L112

Here's what he modified version looks like:

File: /usr/lib/systemd/system/nagios.service

--snip--
[Unit]
Description=Nagios Network Monitoring
After=network.target
Documentation=https://www.nagios.org/documentation/

[Service]
Type=forking
User=nagios
Group=nagios
PIDFile=/var/run/nagios/nagios.pid
# Verify Nagios config before start as upstream suggested
ExecStartPre=/usr/sbin/nagios -v /etc/nagios/nagios.cfg
ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg
ExecStopPost=/usr/bin/rm -f /var/spool/nagios/cmd/nagios.cmd /var/log/nagios/rw/nagios.qh

[Install]
WantedBy=multi-user.target
--snip--