Hide Forgot
Description of problem: ======================== Seeing AVC errors for Nagios setup on RHGS nodes based on RHEL6.8 Its a fresh setup and layered installation of RHGS 3.1.2 and Nagios. Nagios UI doesnot show any issues but on audit.log there are several AVC errors related to nagios. Version-Release number of selected component (if applicable): ============================================================= RHGS and Nagios version: 3.1.2 RHEL version :Red Hat Enterprise Linux Server release 6.8 Beta (Santiago) How reproducible: ================= easily Steps to Reproduce: ==================== 1.INstalled RHEL6.8 beta version. 2. registered to Live channels of RHGS and nagios 3.Installed RHGS (layered installation) 4. Installed nagios and configured it. 5. Seeing avc error in /var/log/audit/audit.log. Actual results: =============== Seeing avc error in /var/log/audit/audit.log. type=AVC msg=audit(1456969634.489:110847): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file Expected results: ================= Should not see any AVC errors Additional info: ==================== type=AVC msg=audit(1456969634.489:110830): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110831): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110832): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110833): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110834): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110835): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110836): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110837): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110838): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110839): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110840): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110841): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110842): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110843): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110844): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110845): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110846): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1456969634.489:110847): avc: denied { read } for pid=22400 comm="status.cgi" name="localtime" dev=dm-0 ino=651565 scontext=unconfined_u:system_r:httpd_nagios_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
What does # ls -Z /etc/localtime system_u:object_r:locale_t:s0 /etc/localtime show you? It looks there is a mislabeling issue.
output: [root@dhcp35-14 ~]# ls -Z /etc/localtime -rw-r--r--. root root system_u:object_r:root_t:s0 /etc/localtime [root@dhcp35-14 ~]#
restorecon /etc/localtime should fix this. although you might have a badly mislabeled system. restorecon -R -v /etc Or you might need to touch /.autorelabel; reboot