Bug 1592594 - nagios spool files in wrong location by default, causing SELinux violations
Summary: nagios spool files in wrong location by default, causing SELinux violations
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nagios
Version: epel7
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Stephen John Smoogen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-18 23:49 UTC by Kenyon Ralph
Modified: 2019-02-02 00:39 UTC (History)
12 users (show)

Fixed In Version: nagios-4.4.3-1.fc28 nagios-4.4.3-1.fc29 nagios-4.4.3-1.el6 nagios-4.4.3-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-30 01:32:03 UTC


Attachments (Terms of Use)

Description Kenyon Ralph 2018-06-18 23:49:06 UTC
Description of problem:
In the default /etc/nagios/nagios.cfg of nagios-4.3.4-5.el7, status_file and state_retention_file are stored in /var/log/nagios. However, their SELinux context is nagios_spool_t as created by nagios, so an httpd running on the nagios server is prevented from getattr and read on these files. Changing nagios.cfg to store status.dat and retention.dat in /var/spool/nagios instead of /var/log/nagios fixes the problem.

Version-Release number of selected component (if applicable):

nagios-4.3.4-5.el7

How reproducible:

always

Steps to Reproduce:
1. Install and enable nagios and httpd.
2. Access /nagios on that host with a web browser.
3. Observe SELinux violations.

Actual results:

SELinux violations.

Expected results:

No SELinux violations.

Additional info:

The only other reference I can find of this problem is here: https://bugzilla.redhat.com/show_bug.cgi?id=1519581#c4

sealert output:


found 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/log/nagios/retention.dat.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/var/log/nagios/retention.dat default label should be nagios_log_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/log/nagios/retention.dat

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that httpd should be allowed getattr access on the retention.dat file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:nagios_spool_t:s0
Target Objects                /var/log/nagios/retention.dat [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          vms-snmp.testdev.local
Source RPM Packages           httpd-2.4.6-67.el7_4.6.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-192.el7_5.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vms-snmp.testdev.local
Platform                      Linux vms-snmp.testdev.local
                              3.10.0-693.21.1.el7.x86_64 #1 SMP Fri Feb 23
                              18:54:16 UTC 2018 x86_64 x86_64
Alert Count                   6
First Seen                    2018-06-18 21:56:25 UTC
Last Seen                     2018-06-18 22:05:36 UTC
Local ID                      38270e2c-6826-425c-8725-5d5cf8c4f62f

Raw Audit Messages
type=AVC msg=audit(1529359536.546:565): avc:  denied  { getattr } for  pid=3646 comm="httpd" path="/var/log/nagios/retention.dat" dev="dm-3" ino=2099541 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file


type=SYSCALL msg=audit(1529359536.546:565): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7ffd4327a480 a1=7ffd4327a370 a2=7ffd4327a370 a3=1d items=1 ppid=3645 pid=3646 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache

type=CWD msg=audit(1529359536.546:565): cwd=/usr/share/nagios/html

type=PATH msg=audit(1529359536.546:565): item=0 name=/var/log/nagios/retention.dat inode=2099541 dev=fd:03 mode=0100600 ouid=995 ogid=992 rdev=00:00 obj=system_u:object_r:nagios_spool_t:s0 objtype=NORMALOUID=nagios OGID=nagios

Hash: httpd,httpd_t,nagios_spool_t,file,getattr

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from read access on the file /var/log/nagios/status.dat.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/var/log/nagios/status.dat default label should be nagios_log_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/log/nagios/status.dat

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that httpd should be allowed read access on the status.dat file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:nagios_spool_t:s0
Target Objects                /var/log/nagios/status.dat [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          vms-snmp.testdev.local
Source RPM Packages           httpd-2.4.6-67.el7_4.6.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-192.el7_5.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vms-snmp.testdev.local
Platform                      Linux vms-snmp.testdev.local
                              3.10.0-693.21.1.el7.x86_64 #1 SMP Fri Feb 23
                              18:54:16 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-06-18 21:56:25 UTC
Last Seen                     2018-06-18 21:56:25 UTC
Local ID                      889b864d-9a4e-468e-8066-2b3cd30e1632

Raw Audit Messages
type=AVC msg=audit(1529358985.92:482): avc:  denied  { read } for  pid=1641 comm="httpd" name="status.dat" dev="dm-3" ino=2099527 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file


type=SYSCALL msg=audit(1529358985.92:482): arch=x86_64 syscall=open success=no exit=EACCES a0=7fe6739ffb70 a1=0 a2=1b6 a3=676f6c2f7261762f items=1 ppid=1595 pid=1641 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=open AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache

type=CWD msg=audit(1529358985.92:482): cwd=/usr/share/nagios/html

type=PATH msg=audit(1529358985.92:482): item=0 name=/var/log/nagios/status.dat inode=2099527 dev=fd:03 mode=0100664 ouid=995 ogid=992 rdev=00:00 obj=system_u:object_r:nagios_spool_t:s0 objtype=NORMALOUID=nagios OGID=nagios

Hash: httpd,httpd_t,nagios_spool_t,file,read

Comment 1 Stephen John Smoogen 2018-06-19 01:01:06 UTC
Is this with the nagios-selinux module installed?

Comment 2 Kenyon Ralph 2018-06-19 02:32:26 UTC
(In reply to Stephen John Smoogen from comment #1)
> Is this with the nagios-selinux module installed?

Yes, these SELinux violations happen with the nagios-selinux package installed. (BTW, seems like nagios-selinux should be a dependency of nagios.)

Comment 3 Stephen John Smoogen 2018-06-19 02:45:46 UTC
Thanks I just need to make sure what I screwed up when.

Comment 4 Stephen John Smoogen 2018-07-25 00:24:27 UTC
I am going to attempt a fix in the version which will occur in testing this week. It may need to be backedout removed.

Comment 5 Fedora Update System 2018-11-30 19:58:37 UTC
nagios-4.4.2-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-0346a55d0f

Comment 6 Fedora Update System 2018-11-30 20:52:15 UTC
nagios-4.4.2-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-42555731d2

Comment 7 Fedora Update System 2018-11-30 21:03:50 UTC
nagios-4.4.2-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-70fe6a4d75

Comment 8 Fedora Update System 2018-11-30 21:38:11 UTC
nagios-4.4.2-3.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-61fe7c6e70

Comment 9 Fedora Update System 2018-12-01 01:38:43 UTC
nagios-4.4.2-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-70fe6a4d75

Comment 10 Fedora Update System 2018-12-01 01:55:13 UTC
nagios-4.4.2-3.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-0346a55d0f

Comment 11 Fedora Update System 2018-12-01 02:03:58 UTC
nagios-4.4.2-3.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-61fe7c6e70

Comment 12 Fedora Update System 2018-12-01 02:43:51 UTC
nagios-4.4.2-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-42555731d2

Comment 13 Fedora Update System 2019-01-17 00:14:47 UTC
nagios-4.4.3-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-d661b588d2

Comment 14 Fedora Update System 2019-01-17 00:25:27 UTC
nagios-4.4.3-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-17b388679b

Comment 15 Fedora Update System 2019-01-17 00:43:08 UTC
nagios-4.4.3-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-376ecc221c

Comment 16 Fedora Update System 2019-01-17 00:55:24 UTC
nagios-4.4.3-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0b44528ff1

Comment 17 Fedora Update System 2019-01-18 01:00:30 UTC
nagios-4.4.3-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-d661b588d2

Comment 18 Fedora Update System 2019-01-18 01:31:53 UTC
nagios-4.4.3-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-17b388679b

Comment 19 Fedora Update System 2019-01-18 03:05:00 UTC
nagios-4.4.3-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0b44528ff1

Comment 20 Fedora Update System 2019-01-18 03:36:19 UTC
nagios-4.4.3-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-376ecc221c

Comment 21 Fedora Update System 2019-01-30 01:32:03 UTC
nagios-4.4.3-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2019-01-30 02:06:45 UTC
nagios-4.4.3-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2019-02-02 00:36:28 UTC
nagios-4.4.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2019-02-02 00:39:27 UTC
nagios-4.4.3-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.