Bug 431841 - nagios avc denials
nagios avc denials
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All All
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-07 04:38 EST by Jaroslav Franek
Modified: 2008-02-21 13:18 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-21 13:18:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
nagios policy file contexts vs actual security context (30.17 KB, text/plain)
2008-02-19 14:14 EST, Jaroslav Franek
no flags Details
SELinux reports on denials (2.01 KB, application/x-gzip)
2008-02-19 14:16 EST, Jaroslav Franek
no flags Details

  None (edit)
Description Jaroslav Franek 2008-02-07 04:38:29 EST
Detected SElinux denials after fresh install and use of nagios in Fedora 8 and
Fedora 7. This seems to be related to the following bug already fixed at RHEL5:

+++ This bug was initially created as a clone of Bug #266341 +++

Description of problem:
An installation of nagios from EPEL-5 generates avc denials.  The first is due
to a bad file path:

# grep nagios /etc/selinux/targeted/contexts/files/file_contexts
/usr/lib(64)?/nagios/cgi/.+ --      system_u:object_r:nagios_cgi_exec_t:s0
[...]

This should be:

/usr/lib(64)?/nagios/cgi-bin/.+ --

The second is a failure for nagios command cgi to schedule commands with the
nagios external command interface because the cgi is unable to write
/var/spool/nagios/cmd/nagios.cmd.  This can be fixed with the following rules:

allow nagios_cgi_t var_spool_t:dir search;
allow nagios_cgi_t var_spool_t:fifo_file { getattr write };

Using a custom 'nagios_spool_t' might be more secure because it would prevent
nagios from reading anything else in /var/spool/...

-- Additional comment from dwalsh@redhat.com on 2007-09-01 07:26 EST --
Fixed in selinux-policy-2.4.6-88.el5.src.rpm



-- Additional comment from pm-rhel@redhat.com on 2008-01-30 14:15 EST --
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 1 Jaroslav Franek 2008-02-19 14:14:58 EST
Created attachment 295321 [details]
nagios policy file contexts vs actual security context
Comment 2 Jaroslav Franek 2008-02-19 14:16:12 EST
Created attachment 295322 [details]
SELinux reports on denials
Comment 3 Jaroslav Franek 2008-02-19 14:17:45 EST
Adding the state after (almost) fresh nagios install (please see the attachment
nagios_info.f8.txt)
# cat /etc/selinux/targeted/contexts/files/file_contexts | grep nagios
# rpm -qa | grep sel
# rpm -qa | grep nagios
# rpm -ql nagios | xargs ls -alZ

There are few strange points:
1) The file context 
/usr/bin/nagios --      system_u:object_r:nagios_exec_t:s0
does not refer to a valid file as nagios is installed in /usr/sbin/nagios.

2) There is however /usr/bin/nagiostats for which there is no nagios-specific
labeling defined, I am not sure whether it is needed or not.

3) I am not sure whether /usr/sbin/p1.pl deserves nagios security context or not.

4) Despite having the rule
/usr/lib(64)?/cgi-bin/nagios(/.+)?     
system_u:object_r:httpd_nagios_script_exec_t:s0
the all cgi scripts and the cgi-bin directory itself have the security context
system_u:object_r:lib_t:s0
which actually triggers the AVC denials.

Please see the attachment nagios_avc_denials.fc8.tar.gz (please note that the
policy has been upgraded to the latest since the time the denials were detected,
therefore nagios_info.f8.txt refers to the newer policy).

Note that the issue was duplicated on the latest Fedora 7 (i686) with exactly
the same symptoms.
Comment 4 Jaroslav Franek 2008-02-19 15:02:20 EST
Oh, sorry for spamming, I just noticed the reason why 4) in comment #3 does not
work. It is not cgi-bin/nagios but nagios/cgi-bin, the same as with the original
Bug #266341 I thought already fixed. So pointing to
/usr/lib(64)?/cgi-bin/nagios(/.+)? in my previous comment is wrong. We need a
new rule created for /usr/lib(64)?/nagios/cgi-bin
Comment 5 Daniel Walsh 2008-02-19 15:24:42 EST
Fixed in selinux-policy-3.0.8-87.fc8
Comment 6 Jaroslav Franek 2008-02-21 12:47:10 EST
Tested selinux-policy-3.0.8-87.fc8 and a fresh install of nagios. The fix works
fine for me. Thanks.

Note You need to log in before you can comment on or make changes to this bug.