2111155 – Loading Nagios Web UI throws php-fpm SELinux denials

Bug 2111155 - Loading Nagios Web UI throws php-fpm SELinux denials

Summary: Loading Nagios Web UI throws php-fpm SELinux denials

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	nagios
Sub Component:
Version:	epel8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Guido Aulisi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-26 15:37 UTC by INVADE International Ltd.
Modified:	2022-07-26 15:37 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description INVADE International Ltd. 2022-07-26 15:37:39 UTC

Description of problem:

Loading Nagios Web UI throws SELinux denials:

type=AVC msg=audit(1658848784.443:50090): avc:  denied  { getattr } for  pid=3449803 comm="php-fpm" path="/var/spool/nagios/status.dat" dev="dm-3" ino=16811714 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file permissive=0
type=AVC msg=audit(1658848784.443:50091): avc:  denied  { read } for  pid=3449803 comm="php-fpm" name="status.dat" dev="dm-3" ino=16811714 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file permissive=0
type=AVC msg=audit(1658848784.443:50092): avc:  denied  { getattr } for  pid=3449803 comm="php-fpm" path="/var/spool/nagios/retention.dat" dev="dm-3" ino=16811712 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file permissive=0 


Version-Release number of selected component (if applicable):

nagios-4.4.6-4.el8.x86_64
nagios-common-4.4.6-4.el8.x86_64
nagios-plugins-2.3.3-5.el8.x86_64
nagios-plugins-by_ssh-2.3.3-5.el8.x86_64
nagios-plugins-disk-2.3.3-5.el8.x86_64
nagios-plugins-dummy-2.3.3-5.el8.x86_64
nagios-plugins-http-2.3.3-5.el8.x86_64
nagios-plugins-load-2.3.3-5.el8.x86_64
nagios-plugins-ping-2.3.3-5.el8.x86_64
nagios-plugins-procs-2.3.3-5.el8.x86_64
nagios-plugins-ssh-2.3.3-5.el8.x86_64
nagios-plugins-swap-2.3.3-5.el8.x86_64
nagios-plugins-users-2.3.3-5.el8.x86_64
nagios-selinux-4.4.6-4.el8.x86_64


How reproducible:

Always.


Steps to Reproduce:
1.Load Nagios Web UI.


Actual results:

SELinux denials.


Expected results:

No SELinux denials.


Additional info:

ls -alZ /var/spool/nagios/retention.dat
-rw-------. 1 nagios nagios system_u:object_r:nagios_spool_t:s0 1148998 Jul 26 16:03 /var/spool/nagios/retention.dat

ls -alZ /var/spool/nagios/status.dat 
-rw-rw-r--. 1 nagios nagios system_u:object_r:nagios_spool_t:s0 1146584 Jul 26 16:30 /var/spool/nagios/status.dat

ps -efZ | grep php-fpm
system_u:system_r:httpd_t:s0    root     3449800       1  0 15:50 ?        00:00:00 php-fpm: master process (/etc/php-fpm.conf)
system_u:system_r:httpd_t:s0    apache   3449801 3449800  0 15:50 ?        00:00:00 php-fpm: pool www
system_u:system_r:httpd_t:s0    apache   3449802 3449800  0 15:50 ?        00:00:00 php-fpm: pool www
system_u:system_r:httpd_t:s0    apache   3449803 3449800  0 15:50 ?        00:00:00 php-fpm: pool www
system_u:system_r:httpd_t:s0    apache   3449804 3449800  0 15:50 ?        00:00:00 php-fpm: pool www
system_u:system_r:httpd_t:s0    apache   3449805 3449800  0 15:50 ?        00:00:00 php-fpm: pool www

ls -alZ /usr/sbin/php-fpm
-rwxr-xr-x. 1 root root system_u:object_r:httpd_exec_t:s0 5027152 May 30  2021 /usr/sbin/php-fpm

ls -alZ /usr/lib64/nagios/cgi-bin/
total 5572
drwxrwxr-x. 2 root root system_u:object_r:nagios_script_exec_t:s0   4096 Jul 26 15:56 .
drwxr-xr-x. 4 root root system_u:object_r:lib_t:s0                    36 Mar  7  2021 ..
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 358288 Mar  7  2021 archivejson.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 331488 Mar  7  2021 avail.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 318872 Mar  7  2021 cmd.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 290432 Mar  7  2021 config.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 339632 Mar  7  2021 extinfo.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 286424 Mar  7  2021 histogram.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 261816 Mar  7  2021 history.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 261808 Mar  7  2021 notifications.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 355984 Mar  7  2021 objectjson.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 253576 Mar  7  2021 outages.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 257680 Mar  7  2021 showlog.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 343736 Mar  7  2021 status.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 354128 Mar  7  2021 statusjson.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 282312 Mar  7  2021 statusmap.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 278200 Mar  7  2021 statuswml.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 261808 Mar  7  2021 statuswrl.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 286432 Mar  7  2021 summary.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 274152 Mar  7  2021 tac.cgi
-rwxrwxr-x. 1 root root system_u:object_r:nagios_script_exec_t:s0 294624 Mar  7  2021 trends.cgi

sesearch -A -s nagios_script_t -t nagios_spool_t -c file -p read
allow nagios_script_t nagios_spool_t:file { getattr ioctl lock map open read };

sesearch -A -s nagios_script_t -t nagios_spool_t -c file -p getattr
allow nagios_script_t nagios_spool_t:file { getattr ioctl lock map open read };

Please let me know if you need anything else.

Note You need to log in before you can comment on or make changes to this bug.