Detected SElinux denials after fresh install and use of nagios in Fedora 8 and Fedora 7. This seems to be related to the following bug already fixed at RHEL5: +++ This bug was initially created as a clone of Bug #266341 +++ Description of problem: An installation of nagios from EPEL-5 generates avc denials. The first is due to a bad file path: # grep nagios /etc/selinux/targeted/contexts/files/file_contexts /usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t:s0 [...] This should be: /usr/lib(64)?/nagios/cgi-bin/.+ -- The second is a failure for nagios command cgi to schedule commands with the nagios external command interface because the cgi is unable to write /var/spool/nagios/cmd/nagios.cmd. This can be fixed with the following rules: allow nagios_cgi_t var_spool_t:dir search; allow nagios_cgi_t var_spool_t:fifo_file { getattr write }; Using a custom 'nagios_spool_t' might be more secure because it would prevent nagios from reading anything else in /var/spool/... -- Additional comment from dwalsh on 2007-09-01 07:26 EST -- Fixed in selinux-policy-2.4.6-88.el5.src.rpm -- Additional comment from pm-rhel on 2008-01-30 14:15 EST -- This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Created attachment 295321 [details] nagios policy file contexts vs actual security context
Created attachment 295322 [details] SELinux reports on denials
Adding the state after (almost) fresh nagios install (please see the attachment nagios_info.f8.txt) # cat /etc/selinux/targeted/contexts/files/file_contexts | grep nagios # rpm -qa | grep sel # rpm -qa | grep nagios # rpm -ql nagios | xargs ls -alZ There are few strange points: 1) The file context /usr/bin/nagios -- system_u:object_r:nagios_exec_t:s0 does not refer to a valid file as nagios is installed in /usr/sbin/nagios. 2) There is however /usr/bin/nagiostats for which there is no nagios-specific labeling defined, I am not sure whether it is needed or not. 3) I am not sure whether /usr/sbin/p1.pl deserves nagios security context or not. 4) Despite having the rule /usr/lib(64)?/cgi-bin/nagios(/.+)? system_u:object_r:httpd_nagios_script_exec_t:s0 the all cgi scripts and the cgi-bin directory itself have the security context system_u:object_r:lib_t:s0 which actually triggers the AVC denials. Please see the attachment nagios_avc_denials.fc8.tar.gz (please note that the policy has been upgraded to the latest since the time the denials were detected, therefore nagios_info.f8.txt refers to the newer policy). Note that the issue was duplicated on the latest Fedora 7 (i686) with exactly the same symptoms.
Oh, sorry for spamming, I just noticed the reason why 4) in comment #3 does not work. It is not cgi-bin/nagios but nagios/cgi-bin, the same as with the original Bug #266341 I thought already fixed. So pointing to /usr/lib(64)?/cgi-bin/nagios(/.+)? in my previous comment is wrong. We need a new rule created for /usr/lib(64)?/nagios/cgi-bin
Fixed in selinux-policy-3.0.8-87.fc8
Tested selinux-policy-3.0.8-87.fc8 and a fresh install of nagios. The fix works fine for me. Thanks.