Bug 250431

Summary: selinux blocking access to nagios cgi folder
Product: [Fedora] Fedora Reporter: Matthias Kloth <matthias.kloth>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7CC: ch.nolte
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-12 17:07:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthias Kloth 2007-08-01 15:58:40 UTC
Description of problem:
nagios can't access cgi's in /usr/lib/nagios/cgi which leads to Internal Server
error.

Version-Release number of selected component (if applicable):
nagios 2.9-1.fc7
nagios-plugins 1.4.8-1.fc7
selinux-policy 2.6.4-26.fc7


How reproducible:
every time.

Steps to Reproduce:
1. install nagios
2. open web interface
3. select some monitoring site

disable selinux and everything works as expected 
Actual results:
error message Internal Server Error

Expected results:
show some monitoring information

Additional info:

Comment 1 Daniel Walsh 2007-08-01 20:29:22 UTC
The file must be mislabled in that directory

restorecon -R -v /var/lib/nagios 

should fix the context, and make this work

I will fix the default contexts of files in that directory, to get created
correctly.

selinux-policy-2.6.4-31


Comment 2 Matthias Kloth 2007-08-02 07:37:10 UTC
Unfortunately the relabeling with "restorecon -R -v /var/lib/nagios" did not work.

Comment 3 Matthias Kloth 2007-08-02 07:42:48 UTC
I tried the following things:

1. trigger events
2. save Nagios AVC Messages in separate File (nagios.log)
3. audit2allow -m nagios -l -i /var/log/audit/nagios.log > nagios.te
4. checkmodule -M -m -o nagios.mod nagios.te
5. semodule -i nagios.pp

After doing this no server error occured, but "Error: Could not read object
configuration data!". After disable SELinux everything work fine again. 

Comment 4 Daniel Walsh 2007-08-02 19:21:42 UTC
Please attach your audit.log 

Comment 5 Matthias Kloth 2007-08-02 21:55:38 UTC
audit log after triggering some nagios cgi action:

type=SYSCALL msg=audit(1186091013.610:1245): arch=40000003 syscall=5 success=no
exit=-13 a0=8078860 a1=8000 a2=0 a3=8000 items=0 ppid=2975 pid=20724 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="extinfo.cgi" exe="/usr/lib/nagios/cgi-bin/extinfo.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091103.615:1246): avc:  denied  { search } for  pid=20749
comm="extinfo.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091103.615:1246): arch=40000003 syscall=5 success=no
exit=-13 a0=8078860 a1=8000 a2=0 a3=8000 items=0 ppid=2976 pid=20749 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="extinfo.cgi" exe="/usr/lib/nagios/cgi-bin/extinfo.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091193.619:1247): avc:  denied  { search } for  pid=20759
comm="extinfo.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091193.619:1247): arch=40000003 syscall=5 success=no
exit=-13 a0=8078860 a1=8000 a2=0 a3=8000 items=0 ppid=2978 pid=20759 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="extinfo.cgi" exe="/usr/lib/nagios/cgi-bin/extinfo.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091283.624:1248): avc:  denied  { search } for  pid=20769
comm="extinfo.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091283.624:1248): arch=40000003 syscall=5 success=no
exit=-13 a0=8078860 a1=8000 a2=0 a3=8000 items=0 ppid=2979 pid=20769 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="extinfo.cgi" exe="/usr/lib/nagios/cgi-bin/extinfo.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091373.629:1249): avc:  denied  { search } for  pid=20796
comm="extinfo.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091373.629:1249): arch=40000003 syscall=5 success=no
exit=-13 a0=8078860 a1=8000 a2=0 a3=8000 items=0 ppid=2972 pid=20796 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="extinfo.cgi" exe="/usr/lib/nagios/cgi-bin/extinfo.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
[root@MyTux cgi-bin]# tail /var/log/audit/audit.log
type=AVC msg=audit(1186091458.134:1267): avc:  denied  { search } for  pid=20836
comm="history.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091458.134:1267): arch=40000003 syscall=5 success=no
exit=-13 a0=80677c0 a1=8000 a2=0 a3=8000 items=0 ppid=2974 pid=20836 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="history.cgi" exe="/usr/lib/nagios/cgi-bin/history.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091459.134:1268): avc:  denied  { search } for  pid=20837
comm="summary.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091459.134:1268): arch=40000003 syscall=5 success=no
exit=-13 a0=806b880 a1=8000 a2=0 a3=8000 items=0 ppid=2977 pid=20837 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="summary.cgi" exe="/usr/lib/nagios/cgi-bin/summary.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091459.634:1269): avc:  denied  { search } for  pid=20838
comm="notifications.c" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091459.634:1269): arch=40000003 syscall=5 success=no
exit=-13 a0=80669c0 a1=8000 a2=0 a3=8000 items=0 ppid=2975 pid=20838 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="notifications.c" exe="/usr/lib/nagios/cgi-bin/notifications.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091460.134:1270): avc:  denied  { search } for  pid=20839
comm="showlog.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091460.134:1270): arch=40000003 syscall=5 success=no
exit=-13 a0=8065560 a1=8000 a2=0 a3=8000 items=0 ppid=2976 pid=20839 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="showlog.cgi" exe="/usr/lib/nagios/cgi-bin/showlog.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091461.134:1271): avc:  denied  { search } for  pid=20840
comm="config.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091461.134:1271): arch=40000003 syscall=5 success=no
exit=-13 a0=8069440 a1=8000 a2=0 a3=8000 items=0 ppid=2978 pid=20840 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="config.cgi" exe="/usr/lib/nagios/cgi-bin/config.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)


Comment 6 Daniel Walsh 2007-08-06 23:19:33 UTC
Should be fixed in selinux-policy-2.6.4-34

Comment 7 Daniel Walsh 2007-09-12 17:07:57 UTC
Moving modified bugs to closed