Bug 1592594 - nagios spool files in wrong location by default, causing SELinux violations
Summary: nagios spool files in wrong location by default, causing SELinux violations
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nagios
Version: epel7
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Stephen John Smoogen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-18 23:49 UTC by Kenyon Ralph
Modified: 2021-05-11 21:54 UTC (History)
13 users (show)

Fixed In Version: nagios-4.4.3-1.fc28 nagios-4.4.3-1.fc29 nagios-4.4.3-1.el6 nagios-4.4.3-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-30 01:32:03 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Kenyon Ralph 2018-06-18 23:49:06 UTC 
Description of problem:
In the default /etc/nagios/nagios.cfg of nagios-4.3.4-5.el7, status_file and state_retention_file are stored in /var/log/nagios. However, their SELinux context is nagios_spool_t as created by nagios, so an httpd running on the nagios server is prevented from getattr and read on these files. Changing nagios.cfg to store status.dat and retention.dat in /var/spool/nagios instead of /var/log/nagios fixes the problem.

Version-Release number of selected component (if applicable):

nagios-4.3.4-5.el7

How reproducible:

always

Steps to Reproduce:
1. Install and enable nagios and httpd.
2. Access /nagios on that host with a web browser.
3. Observe SELinux violations.

Actual results:

SELinux violations.

Expected results:

No SELinux violations.

Additional info:

The only other reference I can find of this problem is here: https://bugzilla.redhat.com/show_bug.cgi?id=1519581#c4

sealert output:


found 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/log/nagios/retention.dat.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/var/log/nagios/retention.dat default label should be nagios_log_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/log/nagios/retention.dat

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that httpd should be allowed getattr access on the retention.dat file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:nagios_spool_t:s0
Target Objects                /var/log/nagios/retention.dat [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          vms-snmp.testdev.local
Source RPM Packages           httpd-2.4.6-67.el7_4.6.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-192.el7_5.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vms-snmp.testdev.local
Platform                      Linux vms-snmp.testdev.local
                              3.10.0-693.21.1.el7.x86_64 #1 SMP Fri Feb 23
                              18:54:16 UTC 2018 x86_64 x86_64
Alert Count                   6
First Seen                    2018-06-18 21:56:25 UTC
Last Seen                     2018-06-18 22:05:36 UTC
Local ID                      38270e2c-6826-425c-8725-5d5cf8c4f62f

Raw Audit Messages
type=AVC msg=audit(1529359536.546:565): avc:  denied  { getattr } for  pid=3646 comm="httpd" path="/var/log/nagios/retention.dat" dev="dm-3" ino=2099541 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file


type=SYSCALL msg=audit(1529359536.546:565): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7ffd4327a480 a1=7ffd4327a370 a2=7ffd4327a370 a3=1d items=1 ppid=3645 pid=3646 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache

type=CWD msg=audit(1529359536.546:565): cwd=/usr/share/nagios/html

type=PATH msg=audit(1529359536.546:565): item=0 name=/var/log/nagios/retention.dat inode=2099541 dev=fd:03 mode=0100600 ouid=995 ogid=992 rdev=00:00 obj=system_u:object_r:nagios_spool_t:s0 objtype=NORMALOUID=nagios OGID=nagios

Hash: httpd,httpd_t,nagios_spool_t,file,getattr

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from read access on the file /var/log/nagios/status.dat.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/var/log/nagios/status.dat default label should be nagios_log_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/log/nagios/status.dat

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that httpd should be allowed read access on the status.dat file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:nagios_spool_t:s0
Target Objects                /var/log/nagios/status.dat [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          vms-snmp.testdev.local
Source RPM Packages           httpd-2.4.6-67.el7_4.6.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-192.el7_5.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vms-snmp.testdev.local
Platform                      Linux vms-snmp.testdev.local
                              3.10.0-693.21.1.el7.x86_64 #1 SMP Fri Feb 23
                              18:54:16 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-06-18 21:56:25 UTC
Last Seen                     2018-06-18 21:56:25 UTC
Local ID                      889b864d-9a4e-468e-8066-2b3cd30e1632

Raw Audit Messages
type=AVC msg=audit(1529358985.92:482): avc:  denied  { read } for  pid=1641 comm="httpd" name="status.dat" dev="dm-3" ino=2099527 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file


type=SYSCALL msg=audit(1529358985.92:482): arch=x86_64 syscall=open success=no exit=EACCES a0=7fe6739ffb70 a1=0 a2=1b6 a3=676f6c2f7261762f items=1 ppid=1595 pid=1641 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=open AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache

type=CWD msg=audit(1529358985.92:482): cwd=/usr/share/nagios/html

type=PATH msg=audit(1529358985.92:482): item=0 name=/var/log/nagios/status.dat inode=2099527 dev=fd:03 mode=0100664 ouid=995 ogid=992 rdev=00:00 obj=system_u:object_r:nagios_spool_t:s0 objtype=NORMALOUID=nagios OGID=nagios

Hash: httpd,httpd_t,nagios_spool_t,file,read
Comment 1 Stephen John Smoogen 2018-06-19 01:01:06 UTC 
Is this with the nagios-selinux module installed?
Comment 2 Kenyon Ralph 2018-06-19 02:32:26 UTC 
(In reply to Stephen John Smoogen from comment #1)
> Is this with the nagios-selinux module installed?

Yes, these SELinux violations happen with the nagios-selinux package installed. (BTW, seems like nagios-selinux should be a dependency of nagios.)
Comment 3 Stephen John Smoogen 2018-06-19 02:45:46 UTC 
Thanks I just need to make sure what I screwed up when.
Comment 4 Stephen John Smoogen 2018-07-25 00:24:27 UTC 
I am going to attempt a fix in the version which will occur in testing this week. It may need to be backedout removed.
Comment 5 Fedora Update System 2018-11-30 19:58:37 UTC 
nagios-4.4.2-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-0346a55d0f
Comment 6 Fedora Update System 2018-11-30 20:52:15 UTC 
nagios-4.4.2-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-42555731d2
Comment 7 Fedora Update System 2018-11-30 21:03:50 UTC 
nagios-4.4.2-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-70fe6a4d75
Comment 8 Fedora Update System 2018-11-30 21:38:11 UTC 
nagios-4.4.2-3.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-61fe7c6e70
Comment 9 Fedora Update System 2018-12-01 01:38:43 UTC 
nagios-4.4.2-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-70fe6a4d75
Comment 10 Fedora Update System 2018-12-01 01:55:13 UTC 
nagios-4.4.2-3.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-0346a55d0f
Comment 11 Fedora Update System 2018-12-01 02:03:58 UTC 
nagios-4.4.2-3.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-61fe7c6e70
Comment 12 Fedora Update System 2018-12-01 02:43:51 UTC 
nagios-4.4.2-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-42555731d2
Comment 13 Fedora Update System 2019-01-17 00:14:47 UTC 
nagios-4.4.3-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-d661b588d2
Comment 14 Fedora Update System 2019-01-17 00:25:27 UTC 
nagios-4.4.3-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-17b388679b
Comment 15 Fedora Update System 2019-01-17 00:43:08 UTC 
nagios-4.4.3-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-376ecc221c
Comment 16 Fedora Update System 2019-01-17 00:55:24 UTC 
nagios-4.4.3-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0b44528ff1
Comment 17 Fedora Update System 2019-01-18 01:00:30 UTC 
nagios-4.4.3-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-d661b588d2
Comment 18 Fedora Update System 2019-01-18 01:31:53 UTC 
nagios-4.4.3-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-17b388679b
Comment 19 Fedora Update System 2019-01-18 03:05:00 UTC 
nagios-4.4.3-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0b44528ff1
Comment 20 Fedora Update System 2019-01-18 03:36:19 UTC 
nagios-4.4.3-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-376ecc221c
Comment 21 Fedora Update System 2019-01-30 01:32:03 UTC 
nagios-4.4.3-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2019-01-30 02:06:45 UTC 
nagios-4.4.3-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2019-02-02 00:36:28 UTC 
nagios-4.4.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 24 Fedora Update System 2019-02-02 00:39:27 UTC 
nagios-4.4.3-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 25 Daniel Arevalo 2021-05-11 21:54:44 UTC 
We still see AVC denials: 

--------------------------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/spool/nagios/retention.dat.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that httpd should be allowed getattr access on the retention.dat file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:nagios_spool_t:s0
Target Objects                /var/spool/nagios/retention.dat [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          turing.sd.spawar.navy.mil
Source RPM Packages           httpd-2.4.35-5.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-268.el7_9.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     turing.sd.spawar.navy.mil
Platform                      Linux turing.sd.spawar.navy.mil
                              3.10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28
                              21:49:45 UTC 2021 x86_64 x86_64
Alert Count                   35
First Seen                    2021-05-03 08:13:43 PDT
Last Seen                     2021-05-11 13:29:17 PDT
Local ID                      c83a0c23-0bc2-43e0-8397-dfdeb638ac6e

Raw Audit Messages
type=AVC msg=audit(1620764957.972:772390): avc:  denied  { getattr } for  pid=14532 comm="httpd" path="/var/spool/nagios/retention.dat" dev="dm-3" ino=67600807 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1620764957.972:772390): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7ffef1328960 a1=7ffef1328850 a2=7ffef1328850 a3=1f items=1 ppid=5599 pid=14532 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

type=CWD msg=audit(1620764957.972:772390): cwd=/usr/share/nagios/html

type=PATH msg=audit(1620764957.972:772390): item=0 name=/var/spool/nagios/retention.dat inode=67600807 dev=fd:03 mode=0100600 ouid=7347 ogid=980 rdev=00:00 obj=system_u:object_r:nagios_spool_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: httpd,httpd_t,nagios_spool_t,file,getattr
--------------------------------------------------------------------------------------------------

Confirming what the AVC denial shows, there is no getattr permission for httpd_t on nagios_spool_t, but that permission exists for nagios_log_t:

--------------------------------------------------------------------------------------------------
# sesearch -A -d -s httpd_t -t nagios_spool_t -p getattr -c file
<nothing returned>

# sesearch -A -d -s httpd_t -t nagios_log_t -p getattr -c file
Found 1 semantic av rules:
   allow httpd_t nagios_log_t : file { ioctl read getattr lock open } ;

--------------------------------------------------------------------------------------------------

I believe the original fix was mistaken: instead updating /etc/nagios/nagios.cfg to store status_file and state_retention_file in /var/spool/nagios, the original location of /var/log/nagios should have been maintained and instead the contexts restored on the user's system, from nagios_spool_t to the default nagios_log_t.
Note You need to log in before you can comment on or make changes to this bug.