Bug 1314233 - Seeing AVC errors for Nagios setup on RHGS nodes based on RHEL6.8
Seeing AVC errors for Nagios setup on RHGS nodes based on RHEL6.8
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.8
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-03 04:12 EST by Triveni Rao
Modified: 2016-05-16 00:38 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-04 16:24:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Triveni Rao 2016-03-03 04:12:28 EST
Description of problem:
========================
Seeing AVC errors for Nagios setup on RHGS nodes based on RHEL6.8 
Its a fresh setup and layered installation of RHGS 3.1.2 and Nagios. Nagios UI doesnot show any issues but on audit.log there are several AVC errors related to nagios.


Version-Release number of selected component (if applicable):
=============================================================
RHGS and Nagios version: 3.1.2
RHEL version :Red Hat Enterprise Linux Server release 6.8 Beta (Santiago)


How reproducible:
=================
easily

Steps to Reproduce:
====================
1.INstalled RHEL6.8 beta version.
2. registered to Live channels of RHGS and nagios
3.Installed RHGS (layered installation)
4. Installed nagios and configured it.
5. Seeing avc error in /var/log/audit/audit.log.

Actual results:
===============
Seeing avc error in /var/log/audit/audit.log.

type=AVC msg=audit(1456969634.489:110847): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file


Expected results:
=================
Should not see any AVC errors

Additional info:
====================

type=AVC msg=audit(1456969634.489:110830): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110831): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110832): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110833): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110834): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110835): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110836): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110837): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110838): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110839): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110840): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110841): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110842): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110843): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110844): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110845): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110846): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1456969634.489:110847): avc:  denied  { read } for  pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
Comment 2 Miroslav Grepl 2016-03-04 03:31:32 EST
What does

# ls -Z /etc/localtime
system_u:object_r:locale_t:s0 /etc/localtime

show you? It looks there is a mislabeling issue.
Comment 3 Triveni Rao 2016-03-04 05:01:07 EST
output:

[root@dhcp35-14 ~]#  ls -Z /etc/localtime
-rw-r--r--. root root system_u:object_r:root_t:s0      /etc/localtime
[root@dhcp35-14 ~]#
Comment 4 Daniel Walsh 2016-03-04 16:24:30 EST
restorecon /etc/localtime  should fix this. although you might have a badly mislabeled system.

restorecon -R -v /etc

Or you might need to 
touch /.autorelabel; reboot

Note You need to log in before you can comment on or make changes to this bug.