Bug 1427415
| Summary: | Latest Nagios 4.2.4 broken under SELinux | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | alex |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | alex, lenz, lvrabec, mgrepl, mmalik, nduffy, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-175.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 12:28:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Following SELinux denial appeared after "service nagios start":
----
type=SYSCALL msg=audit(02/28/2017 04:28:41.347:296) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffdbb915f70 a2=0x21 a3=0xfffffe00 items=0 ppid=1415 pid=1417 auid=unset uid=nagios gid=nagios euid=nagios suid=nagios fsuid=nagios egid=nagios sgid=nagios fsgid=nagios tty=(none) ses=unset comm=nagios exe=/usr/sbin/nagios subj=system_u:system_r:nagios_t:s0 key=(null)
type=AVC msg=audit(02/28/2017 04:28:41.347:296) : avc: denied { connectto } for pid=1417 comm=nagios path=/var/spool/nagios/cmd/nagios.qh scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:system_r:nagios_t:s0 tclass=unix_stream_socket
----
Following SELinux denials appeared when I was clicking in the web UI:
----
type=SYSCALL msg=audit(02/28/2017 04:40:37.316:330) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7fee9730c3d0 a1=O_RDONLY a2=0x7fee9730c0a0 a3=0x4 items=0 ppid=1709 pid=1755 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=outages.cgi exe=/usr/lib64/nagios/cgi-bin/outages.cgi subj=system_u:system_r:nagios_script_t:s0 key=(null)
type=AVC msg=audit(02/28/2017 04:40:37.316:330) : avc: denied { read } for pid=1755 comm=outages.cgi name=objects.cache dev="dm-1" ino=258425 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
----
type=SYSCALL msg=audit(02/28/2017 04:40:36.031:329) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9997ec0370 a1=O_RDONLY a2=0x7f9997ec0830 a3=0x4 items=0 ppid=1709 pid=1754 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=status.cgi exe=/usr/lib64/nagios/cgi-bin/status.cgi subj=system_u:system_r:nagios_script_t:s0 key=(null)
type=AVC msg=audit(02/28/2017 04:40:36.031:329) : avc: denied { read } for pid=1754 comm=status.cgi name=objects.cache dev="dm-1" ino=258425 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
----
Following AVCs appeared in permissive mode:
----
type=SYSCALL msg=audit(02/28/2017 04:43:03.409:335) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffe47a0efc0 a2=0x7ffe47a0efc0 a3=0x4 items=0 ppid=1742 pid=1767 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=tac.cgi exe=/usr/lib64/nagios/cgi-bin/tac.cgi subj=system_u:system_r:nagios_script_t:s0 key=(null)
type=AVC msg=audit(02/28/2017 04:43:03.409:335) : avc: denied { getattr } for pid=1767 comm=tac.cgi path=/var/spool/nagios/objects.cache dev="dm-1" ino=258425 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
----
type=SYSCALL msg=audit(02/28/2017 04:43:03.409:334) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7fd148dbf3d0 a1=O_RDONLY a2=0x7fd148dbf0a0 a3=0x4 items=0 ppid=1742 pid=1767 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=tac.cgi exe=/usr/lib64/nagios/cgi-bin/tac.cgi subj=system_u:system_r:nagios_script_t:s0 key=(null)
type=AVC msg=audit(02/28/2017 04:43:03.409:334) : avc: denied { open } for pid=1767 comm=tac.cgi path=/var/spool/nagios/objects.cache dev="dm-1" ino=258425 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
type=AVC msg=audit(02/28/2017 04:43:03.409:334) : avc: denied { read } for pid=1767 comm=tac.cgi name=objects.cache dev="dm-1" ino=258425 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |
Description of problem: After upgrading to the latest Nagios package available, 4.2.4, the web frontend no longer works with SELinux enabled. I get the following on audit.log type=AVC msg=audit(1488265620.009:2548): avc: denied { read } for pid=27346 comm="tac.cgi" name="objects.cache" dev="vda3" ino=33626409 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file type=SYSCALL msg=audit(1488265620.009:2548): arch=c000003e syscall=2 success=no exit=-13 a0=7f2237600430 a1=0 a2=7f2237600210 a3=4 items=0 ppid=26820 pid=27346 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="tac.cgi" exe="/usr/lib64/nagios/cgi-bin/tac.cgi" subj=system_u:system_r:nagios_script_t:s0 key=(null) This might be due to some paths in nagios.cfg changing from /var/log/nagios to /var/spool/nagios, I think. Steps to Reproduce: 1. Run nagios with SELinux enabled 2. Go to the UI Actual results: UI doesn't work Expected results: UI works