Description of problem: Openened http://localhost/nagios SELinux is preventing statusjson.cgi from 'map' accesses on the file /etc/nagios/cgi.cfg. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that statusjson.cgi should be allowed map access on the cgi.cfg file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'statusjson.cgi' --raw | audit2allow -M my-statusjsoncgi # semodule -X 300 -i my-statusjsoncgi.pp Additional Information: Source Context system_u:system_r:nagios_script_t:s0 Target Context system_u:object_r:nagios_etc_t:s0 Target Objects /etc/nagios/cgi.cfg [ file ] Source statusjson.cgi Source Path statusjson.cgi Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.16-300.fc28.x86_64 #1 SMP Sun Jun 17 03:02:42 UTC 2018 x86_64 x86_64 Alert Count 4 First Seen 2018-06-21 08:33:49 PDT Last Seen 2018-06-21 08:34:58 PDT Local ID 33cf84e2-b516-4ab1-aba2-b8d748260c62 Raw Audit Messages type=AVC msg=audit(1529595298.353:588): avc: denied { map } for pid=26643 comm="status.cgi" path="/etc/nagios/cgi.cfg" dev="dm-1" ino=405638 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:nagios_etc_t:s0 tclass=file permissive=0 Hash: statusjson.cgi,nagios_script_t,nagios_etc_t,file,map Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.16-300.fc28.x86_64 type: libreport
This occurred just after upgrading from Fedora 26->28.
There ended up being two messages: type=AVC msg=audit(1529595229.745:559): avc: denied { map } for pid=26265 comm="statusjson.cgi" path="/etc/nagios/cgi.cfg" dev="dm-1" ino=405638 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:nagios_etc_t:s0 tclass=file permissive=0 type=AVC msg=audit(1529596325.052:734): avc: denied { map } for pid=29813 comm="statusjson.cgi" path="/var/log/nagios/objects.cache" dev="dm-5" ino=262199 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file permissive=0 The following module seems to have resolved it: module nagios-statusjsoncgi 1.0; require { type nagios_log_t; type nagios_script_t; type nagios_etc_t; class file map; } #============= nagios_script_t ============== #!!!! This avc is allowed in the current policy allow nagios_script_t nagios_etc_t:file map; allow nagios_script_t nagios_log_t:file map;
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.