Bug 250431 - selinux blocking access to nagios cgi folder
selinux blocking access to nagios cgi folder
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-01 11:58 EDT by Matthias Kloth
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-12 13:07:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthias Kloth 2007-08-01 11:58:40 EDT
Description of problem:
nagios can't access cgi's in /usr/lib/nagios/cgi which leads to Internal Server
error.

Version-Release number of selected component (if applicable):
nagios 2.9-1.fc7
nagios-plugins 1.4.8-1.fc7
selinux-policy 2.6.4-26.fc7


How reproducible:
every time.

Steps to Reproduce:
1. install nagios
2. open web interface
3. select some monitoring site

disable selinux and everything works as expected 
Actual results:
error message Internal Server Error

Expected results:
show some monitoring information

Additional info:
Comment 1 Daniel Walsh 2007-08-01 16:29:22 EDT
The file must be mislabled in that directory

restorecon -R -v /var/lib/nagios 

should fix the context, and make this work

I will fix the default contexts of files in that directory, to get created
correctly.

selinux-policy-2.6.4-31
Comment 2 Matthias Kloth 2007-08-02 03:37:10 EDT
Unfortunately the relabeling with "restorecon -R -v /var/lib/nagios" did not work.
Comment 3 Matthias Kloth 2007-08-02 03:42:48 EDT
I tried the following things:

1. trigger events
2. save Nagios AVC Messages in separate File (nagios.log)
3. audit2allow -m nagios -l -i /var/log/audit/nagios.log > nagios.te
4. checkmodule -M -m -o nagios.mod nagios.te
5. semodule -i nagios.pp

After doing this no server error occured, but "Error: Could not read object
configuration data!". After disable SELinux everything work fine again. 
Comment 4 Daniel Walsh 2007-08-02 15:21:42 EDT
Please attach your audit.log 
Comment 5 Matthias Kloth 2007-08-02 17:55:38 EDT
audit log after triggering some nagios cgi action:

type=SYSCALL msg=audit(1186091013.610:1245): arch=40000003 syscall=5 success=no
exit=-13 a0=8078860 a1=8000 a2=0 a3=8000 items=0 ppid=2975 pid=20724 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="extinfo.cgi" exe="/usr/lib/nagios/cgi-bin/extinfo.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091103.615:1246): avc:  denied  { search } for  pid=20749
comm="extinfo.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091103.615:1246): arch=40000003 syscall=5 success=no
exit=-13 a0=8078860 a1=8000 a2=0 a3=8000 items=0 ppid=2976 pid=20749 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="extinfo.cgi" exe="/usr/lib/nagios/cgi-bin/extinfo.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091193.619:1247): avc:  denied  { search } for  pid=20759
comm="extinfo.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091193.619:1247): arch=40000003 syscall=5 success=no
exit=-13 a0=8078860 a1=8000 a2=0 a3=8000 items=0 ppid=2978 pid=20759 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="extinfo.cgi" exe="/usr/lib/nagios/cgi-bin/extinfo.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091283.624:1248): avc:  denied  { search } for  pid=20769
comm="extinfo.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091283.624:1248): arch=40000003 syscall=5 success=no
exit=-13 a0=8078860 a1=8000 a2=0 a3=8000 items=0 ppid=2979 pid=20769 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="extinfo.cgi" exe="/usr/lib/nagios/cgi-bin/extinfo.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091373.629:1249): avc:  denied  { search } for  pid=20796
comm="extinfo.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091373.629:1249): arch=40000003 syscall=5 success=no
exit=-13 a0=8078860 a1=8000 a2=0 a3=8000 items=0 ppid=2972 pid=20796 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="extinfo.cgi" exe="/usr/lib/nagios/cgi-bin/extinfo.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
[root@MyTux cgi-bin]# tail /var/log/audit/audit.log
type=AVC msg=audit(1186091458.134:1267): avc:  denied  { search } for  pid=20836
comm="history.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091458.134:1267): arch=40000003 syscall=5 success=no
exit=-13 a0=80677c0 a1=8000 a2=0 a3=8000 items=0 ppid=2974 pid=20836 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="history.cgi" exe="/usr/lib/nagios/cgi-bin/history.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091459.134:1268): avc:  denied  { search } for  pid=20837
comm="summary.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091459.134:1268): arch=40000003 syscall=5 success=no
exit=-13 a0=806b880 a1=8000 a2=0 a3=8000 items=0 ppid=2977 pid=20837 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="summary.cgi" exe="/usr/lib/nagios/cgi-bin/summary.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091459.634:1269): avc:  denied  { search } for  pid=20838
comm="notifications.c" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091459.634:1269): arch=40000003 syscall=5 success=no
exit=-13 a0=80669c0 a1=8000 a2=0 a3=8000 items=0 ppid=2975 pid=20838 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="notifications.c" exe="/usr/lib/nagios/cgi-bin/notifications.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091460.134:1270): avc:  denied  { search } for  pid=20839
comm="showlog.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091460.134:1270): arch=40000003 syscall=5 success=no
exit=-13 a0=8065560 a1=8000 a2=0 a3=8000 items=0 ppid=2976 pid=20839 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="showlog.cgi" exe="/usr/lib/nagios/cgi-bin/showlog.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186091461.134:1271): avc:  denied  { search } for  pid=20840
comm="config.cgi" name="nagios" dev=dm-0 ino=2480657
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0
tclass=dir
type=SYSCALL msg=audit(1186091461.134:1271): arch=40000003 syscall=5 success=no
exit=-13 a0=8069440 a1=8000 a2=0 a3=8000 items=0 ppid=2978 pid=20840 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="config.cgi" exe="/usr/lib/nagios/cgi-bin/config.cgi"
subj=user_u:system_r:httpd_t:s0 key=(null)
Comment 6 Daniel Walsh 2007-08-06 19:19:33 EDT
Should be fixed in selinux-policy-2.6.4-34
Comment 7 Daniel Walsh 2007-09-12 13:07:57 EDT
Moving modified bugs to closed

Note You need to log in before you can comment on or make changes to this bug.