Description of problem: In the default /etc/nagios/nagios.cfg of nagios-4.3.4-5.el7, status_file and state_retention_file are stored in /var/log/nagios. However, their SELinux context is nagios_spool_t as created by nagios, so an httpd running on the nagios server is prevented from getattr and read on these files. Changing nagios.cfg to store status.dat and retention.dat in /var/spool/nagios instead of /var/log/nagios fixes the problem. Version-Release number of selected component (if applicable): nagios-4.3.4-5.el7 How reproducible: always Steps to Reproduce: 1. Install and enable nagios and httpd. 2. Access /nagios on that host with a web browser. 3. Observe SELinux violations. Actual results: SELinux violations. Expected results: No SELinux violations. Additional info: The only other reference I can find of this problem is here: https://bugzilla.redhat.com/show_bug.cgi?id=1519581#c4 sealert output: found 2 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/log/nagios/retention.dat. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /var/log/nagios/retention.dat default label should be nagios_log_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/log/nagios/retention.dat ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that httpd should be allowed getattr access on the retention.dat file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -i my-httpd.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:nagios_spool_t:s0 Target Objects /var/log/nagios/retention.dat [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host vms-snmp.testdev.local Source RPM Packages httpd-2.4.6-67.el7_4.6.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name vms-snmp.testdev.local Platform Linux vms-snmp.testdev.local 3.10.0-693.21.1.el7.x86_64 #1 SMP Fri Feb 23 18:54:16 UTC 2018 x86_64 x86_64 Alert Count 6 First Seen 2018-06-18 21:56:25 UTC Last Seen 2018-06-18 22:05:36 UTC Local ID 38270e2c-6826-425c-8725-5d5cf8c4f62f Raw Audit Messages type=AVC msg=audit(1529359536.546:565): avc: denied { getattr } for pid=3646 comm="httpd" path="/var/log/nagios/retention.dat" dev="dm-3" ino=2099541 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file type=SYSCALL msg=audit(1529359536.546:565): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7ffd4327a480 a1=7ffd4327a370 a2=7ffd4327a370 a3=1d items=1 ppid=3645 pid=3646 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache type=CWD msg=audit(1529359536.546:565): cwd=/usr/share/nagios/html type=PATH msg=audit(1529359536.546:565): item=0 name=/var/log/nagios/retention.dat inode=2099541 dev=fd:03 mode=0100600 ouid=995 ogid=992 rdev=00:00 obj=system_u:object_r:nagios_spool_t:s0 objtype=NORMALOUID=nagios OGID=nagios Hash: httpd,httpd_t,nagios_spool_t,file,getattr -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/httpd from read access on the file /var/log/nagios/status.dat. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /var/log/nagios/status.dat default label should be nagios_log_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/log/nagios/status.dat ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that httpd should be allowed read access on the status.dat file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -i my-httpd.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:nagios_spool_t:s0 Target Objects /var/log/nagios/status.dat [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host vms-snmp.testdev.local Source RPM Packages httpd-2.4.6-67.el7_4.6.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name vms-snmp.testdev.local Platform Linux vms-snmp.testdev.local 3.10.0-693.21.1.el7.x86_64 #1 SMP Fri Feb 23 18:54:16 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-06-18 21:56:25 UTC Last Seen 2018-06-18 21:56:25 UTC Local ID 889b864d-9a4e-468e-8066-2b3cd30e1632 Raw Audit Messages type=AVC msg=audit(1529358985.92:482): avc: denied { read } for pid=1641 comm="httpd" name="status.dat" dev="dm-3" ino=2099527 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file type=SYSCALL msg=audit(1529358985.92:482): arch=x86_64 syscall=open success=no exit=EACCES a0=7fe6739ffb70 a1=0 a2=1b6 a3=676f6c2f7261762f items=1 ppid=1595 pid=1641 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=open AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache type=CWD msg=audit(1529358985.92:482): cwd=/usr/share/nagios/html type=PATH msg=audit(1529358985.92:482): item=0 name=/var/log/nagios/status.dat inode=2099527 dev=fd:03 mode=0100664 ouid=995 ogid=992 rdev=00:00 obj=system_u:object_r:nagios_spool_t:s0 objtype=NORMALOUID=nagios OGID=nagios Hash: httpd,httpd_t,nagios_spool_t,file,read
Is this with the nagios-selinux module installed?
(In reply to Stephen John Smoogen from comment #1) > Is this with the nagios-selinux module installed? Yes, these SELinux violations happen with the nagios-selinux package installed. (BTW, seems like nagios-selinux should be a dependency of nagios.)
Thanks I just need to make sure what I screwed up when.
I am going to attempt a fix in the version which will occur in testing this week. It may need to be backedout removed.
nagios-4.4.2-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-0346a55d0f
nagios-4.4.2-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-42555731d2
nagios-4.4.2-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-70fe6a4d75
nagios-4.4.2-3.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-61fe7c6e70
nagios-4.4.2-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-70fe6a4d75
nagios-4.4.2-3.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-0346a55d0f
nagios-4.4.2-3.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-61fe7c6e70
nagios-4.4.2-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-42555731d2
nagios-4.4.3-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-d661b588d2
nagios-4.4.3-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-17b388679b
nagios-4.4.3-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-376ecc221c
nagios-4.4.3-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0b44528ff1
nagios-4.4.3-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-d661b588d2
nagios-4.4.3-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-17b388679b
nagios-4.4.3-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0b44528ff1
nagios-4.4.3-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-376ecc221c
nagios-4.4.3-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
nagios-4.4.3-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
nagios-4.4.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
nagios-4.4.3-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
We still see AVC denials: -------------------------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/spool/nagios/retention.dat. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that httpd should be allowed getattr access on the retention.dat file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -i my-httpd.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:nagios_spool_t:s0 Target Objects /var/spool/nagios/retention.dat [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host turing.sd.spawar.navy.mil Source RPM Packages httpd-2.4.35-5.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-268.el7_9.2.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name turing.sd.spawar.navy.mil Platform Linux turing.sd.spawar.navy.mil 3.10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 Alert Count 35 First Seen 2021-05-03 08:13:43 PDT Last Seen 2021-05-11 13:29:17 PDT Local ID c83a0c23-0bc2-43e0-8397-dfdeb638ac6e Raw Audit Messages type=AVC msg=audit(1620764957.972:772390): avc: denied { getattr } for pid=14532 comm="httpd" path="/var/spool/nagios/retention.dat" dev="dm-3" ino=67600807 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1620764957.972:772390): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7ffef1328960 a1=7ffef1328850 a2=7ffef1328850 a3=1f items=1 ppid=5599 pid=14532 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=CWD msg=audit(1620764957.972:772390): cwd=/usr/share/nagios/html type=PATH msg=audit(1620764957.972:772390): item=0 name=/var/spool/nagios/retention.dat inode=67600807 dev=fd:03 mode=0100600 ouid=7347 ogid=980 rdev=00:00 obj=system_u:object_r:nagios_spool_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: httpd,httpd_t,nagios_spool_t,file,getattr -------------------------------------------------------------------------------------------------- Confirming what the AVC denial shows, there is no getattr permission for httpd_t on nagios_spool_t, but that permission exists for nagios_log_t: -------------------------------------------------------------------------------------------------- # sesearch -A -d -s httpd_t -t nagios_spool_t -p getattr -c file <nothing returned> # sesearch -A -d -s httpd_t -t nagios_log_t -p getattr -c file Found 1 semantic av rules: allow httpd_t nagios_log_t : file { ioctl read getattr lock open } ; -------------------------------------------------------------------------------------------------- I believe the original fix was mistaken: instead updating /etc/nagios/nagios.cfg to store status_file and state_retention_file in /var/spool/nagios, the original location of /var/log/nagios should have been maintained and instead the contexts restored on the user's system, from nagios_spool_t to the default nagios_log_t.