Bug 1314233

Summary: Seeing AVC errors for Nagios setup on RHGS nodes based on RHEL6.8
Product: Red Hat Enterprise Linux 6 Reporter: Triveni Rao <trao>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.8CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, sashinde, ssekidde, trao
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-04 21:24:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Triveni Rao 2016-03-03 09:12:28 UTC 
Description of problem:
========================
Seeing AVC errors for Nagios setup on RHGS nodes based on RHEL6.8 
Its a fresh setup and layered installation of RHGS 3.1.2 and Nagios. Nagios UI doesnot show any issues but on audit.log there are several AVC errors related to nagios.


Version-Release number of selected component (if applicable):
=============================================================
RHGS and Nagios version: 3.1.2
RHEL version :Red Hat Enterprise Linux Server release 6.8 Beta (Santiago)


How reproducible:
=================
easily

Steps to Reproduce:
====================
1.INstalled RHEL6.8 beta version.
2. registered to Live channels of RHGS and nagios
3.Installed RHGS (layered installation)
4. Installed nagios and configured it.
5. Seeing avc error in /var/log/audit/audit.log.

Actual results:
===============
Seeing avc error in /var/log/audit/audit.log.

type=AVC msg=audit(1456969634.489:110847): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file


Expected results:
=================
Should not see any AVC errors

Additional info:
====================

type=AVC msg=audit(1456969634.489:110830): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110831): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110832): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110833): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110834): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110835): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110836): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110837): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110838): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110839): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110840): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110841): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110842): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110843): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110844): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110845): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110846): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110847): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
Comment 2 Miroslav Grepl 2016-03-04 08:31:32 UTC 
What does

# ls -Z /etc/localtime
system_u:object_r:locale_t:s0 /etc/localtime

show you? It looks there is a mislabeling issue.
Comment 3 Triveni Rao 2016-03-04 10:01:07 UTC 
output:

[root@dhcp35-14 ~]#  ls -Z /etc/localtime
-rw-r--r--. root root system_u:object_r:root_t:s0      /etc/localtime
[root@dhcp35-14 ~]#
Comment 4 Daniel Walsh 2016-03-04 21:24:30 UTC 
restorecon /etc/localtime  should fix this. although you might have a badly mislabeled system.

restorecon -R -v /etc

Or you might need to 
touch /.autorelabel; reboot