Bug 2111155

Summary: Loading Nagios Web UI throws php-fpm SELinux denials
Product: [Fedora] Fedora EPEL Reporter: INVADE International Ltd. <third.line>
Component: nagiosAssignee: Guido Aulisi <guido.aulisi>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel8CC: b.heden, guido.aulisi, jose.p.oliveira.oss, redhat, shawn.starr, smooge, s, swilkerson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description INVADE International Ltd. 2022-07-26 15:37:39 UTC 
Description of problem:

Loading Nagios Web UI throws SELinux denials:

type=AVC msg=audit(1658848784.443:50090): avc:  denied  { getattr } for  pid=3449803 comm="php-fpm" path="/var/spool/nagios/status.dat" dev="dm-3" ino=16811714 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file permissive=0
type=AVC msg=audit(1658848784.443:50091): avc:  denied  { read } for  pid=3449803 comm="php-fpm" name="status.dat" dev="dm-3" ino=16811714 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file permissive=0
type=AVC msg=audit(1658848784.443:50092): avc:  denied  { getattr } for  pid=3449803 comm="php-fpm" path="/var/spool/nagios/retention.dat" dev="dm-3" ino=16811712 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file permissive=0 


Version-Release number of selected component (if applicable):

nagios-4.4.6-4.el8.x86_64
nagios-common-4.4.6-4.el8.x86_64
nagios-plugins-2.3.3-5.el8.x86_64
nagios-plugins-by_ssh-2.3.3-5.el8.x86_64
nagios-plugins-disk-2.3.3-5.el8.x86_64
nagios-plugins-dummy-2.3.3-5.el8.x86_64
nagios-plugins-http-2.3.3-5.el8.x86_64
nagios-plugins-load-2.3.3-5.el8.x86_64
nagios-plugins-ping-2.3.3-5.el8.x86_64
nagios-plugins-procs-2.3.3-5.el8.x86_64
nagios-plugins-ssh-2.3.3-5.el8.x86_64
nagios-plugins-swap-2.3.3-5.el8.x86_64
nagios-plugins-users-2.3.3-5.el8.x86_64
nagios-selinux-4.4.6-4.el8.x86_64


How reproducible:

Always.


Steps to Reproduce:
1.Load Nagios Web UI.


Actual results:

SELinux denials.


Expected results:

No SELinux denials.


Additional info:

ls -alZ /var/spool/nagios/retention.dat
-rw-------. 1 nagios nagios system_u:object_r:nagios_spool_t:s0 1148998 Jul 26 16:03 /var/spool/nagios/retention.dat

ls -alZ /var/spool/nagios/status.dat 
-rw-rw-r--. 1 nagios nagios system_u:object_r:nagios_spool_t:s0 1146584 Jul 26 16:30 /var/spool/nagios/status.dat

ps -efZ | grep php-fpm
system_u:system_r:httpd_t:s0    root     3449800       1  0 15:50 ?        00:00:00 php-fpm: master process (/etc/php-fpm.conf)
system_u:system_r:httpd_t:s0    apache   3449801 3449800  0 15:50 ?        00:00:00 php-fpm: pool www
system_u:system_r:httpd_t:s0    apache   3449802 3449800  0 15:50 ?        00:00:00 php-fpm: pool www
system_u:system_r:httpd_t:s0    apache   3449803 3449800  0 15:50 ?        00:00:00 php-fpm: pool www
system_u:system_r:httpd_t:s0    apache   3449804 3449800  0 15:50 ?        00:00:00 php-fpm: pool www
system_u:system_r:httpd_t:s0    apache   3449805 3449800  0 15:50 ?        00:00:00 php-fpm: pool www

ls -alZ /usr/sbin/php-fpm
-rwxr-xr-x. 1 root root system_u:object_r:httpd_exec_t:s0 5027152 May 30  2021 /usr/sbin/php-fpm

ls -alZ /usr/lib64/nagios/cgi-bin/
total 5572
drwxrwxr-x. 2 root root system_u:object_r:nagios_script_exec_t:s0   4096 Jul 26 15:56 .
drwxr-xr-x. 4 root root system_u:object_r:lib_t:s0                    36 Mar  7  2021 ..
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 358288 Mar  7  2021 archivejson.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 331488 Mar  7  2021 avail.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 318872 Mar  7  2021 cmd.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 290432 Mar  7  2021 config.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 339632 Mar  7  2021 extinfo.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 286424 Mar  7  2021 histogram.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 261816 Mar  7  2021 history.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 261808 Mar  7  2021 notifications.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 355984 Mar  7  2021 objectjson.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 253576 Mar  7  2021 outages.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 257680 Mar  7  2021 showlog.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 343736 Mar  7  2021 status.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 354128 Mar  7  2021 statusjson.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 282312 Mar  7  2021 statusmap.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 278200 Mar  7  2021 statuswml.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 261808 Mar  7  2021 statuswrl.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 286432 Mar  7  2021 summary.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 274152 Mar  7  2021 tac.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 294624 Mar  7  2021 trends.cgi

sesearch -A -s nagios_script_t -t nagios_spool_t -c file -p read
allow nagios_script_t nagios_spool_t:file { getattr ioctl lock map open read };

sesearch -A -s nagios_script_t -t nagios_spool_t -c file -p getattr
allow nagios_script_t nagios_spool_t:file { getattr ioctl lock map open read };

Please let me know if you need anything else.