Bug 431841 - nagios avc denials
Summary: nagios avc denials
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 8
Hardware: All All
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2008-02-07 09:38 UTC by Jaroslav Franek
Modified: 2008-02-21 18:18 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-21 18:18:16 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
nagios policy file contexts vs actual security context (30.17 KB, text/plain)
2008-02-19 19:14 UTC, Jaroslav Franek
no flags Details
SELinux reports on denials (2.01 KB, application/x-gzip)
2008-02-19 19:16 UTC, Jaroslav Franek
no flags Details

Description Jaroslav Franek 2008-02-07 09:38:29 UTC
Detected SElinux denials after fresh install and use of nagios in Fedora 8 and
Fedora 7. This seems to be related to the following bug already fixed at RHEL5:

+++ This bug was initially created as a clone of Bug #266341 +++

Description of problem:
An installation of nagios from EPEL-5 generates avc denials.  The first is due
to a bad file path:

# grep nagios /etc/selinux/targeted/contexts/files/file_contexts
/usr/lib(64)?/nagios/cgi/.+ --      system_u:object_r:nagios_cgi_exec_t:s0

This should be:

/usr/lib(64)?/nagios/cgi-bin/.+ --

The second is a failure for nagios command cgi to schedule commands with the
nagios external command interface because the cgi is unable to write
/var/spool/nagios/cmd/nagios.cmd.  This can be fixed with the following rules:

allow nagios_cgi_t var_spool_t:dir search;
allow nagios_cgi_t var_spool_t:fifo_file { getattr write };

Using a custom 'nagios_spool_t' might be more secure because it would prevent
nagios from reading anything else in /var/spool/...

-- Additional comment from dwalsh@redhat.com on 2007-09-01 07:26 EST --
Fixed in selinux-policy-2.4.6-88.el5.src.rpm

-- Additional comment from pm-rhel@redhat.com on 2008-01-30 14:15 EST --
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 1 Jaroslav Franek 2008-02-19 19:14:58 UTC
Created attachment 295321 [details]
nagios policy file contexts vs actual security context

Comment 2 Jaroslav Franek 2008-02-19 19:16:12 UTC
Created attachment 295322 [details]
SELinux reports on denials

Comment 3 Jaroslav Franek 2008-02-19 19:17:45 UTC
Adding the state after (almost) fresh nagios install (please see the attachment
# cat /etc/selinux/targeted/contexts/files/file_contexts | grep nagios
# rpm -qa | grep sel
# rpm -qa | grep nagios
# rpm -ql nagios | xargs ls -alZ

There are few strange points:
1) The file context 
/usr/bin/nagios --      system_u:object_r:nagios_exec_t:s0
does not refer to a valid file as nagios is installed in /usr/sbin/nagios.

2) There is however /usr/bin/nagiostats for which there is no nagios-specific
labeling defined, I am not sure whether it is needed or not.

3) I am not sure whether /usr/sbin/p1.pl deserves nagios security context or not.

4) Despite having the rule
the all cgi scripts and the cgi-bin directory itself have the security context
which actually triggers the AVC denials.

Please see the attachment nagios_avc_denials.fc8.tar.gz (please note that the
policy has been upgraded to the latest since the time the denials were detected,
therefore nagios_info.f8.txt refers to the newer policy).

Note that the issue was duplicated on the latest Fedora 7 (i686) with exactly
the same symptoms.

Comment 4 Jaroslav Franek 2008-02-19 20:02:20 UTC
Oh, sorry for spamming, I just noticed the reason why 4) in comment #3 does not
work. It is not cgi-bin/nagios but nagios/cgi-bin, the same as with the original
Bug #266341 I thought already fixed. So pointing to
/usr/lib(64)?/cgi-bin/nagios(/.+)? in my previous comment is wrong. We need a
new rule created for /usr/lib(64)?/nagios/cgi-bin

Comment 5 Daniel Walsh 2008-02-19 20:24:42 UTC
Fixed in selinux-policy-3.0.8-87.fc8

Comment 6 Jaroslav Franek 2008-02-21 17:47:10 UTC
Tested selinux-policy-3.0.8-87.fc8 and a fresh install of nagios. The fix works
fine for me. Thanks.

Note You need to log in before you can comment on or make changes to this bug.