810212 – Package pnp4nagios doesn't log, and says permission denied

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 810212 - Package pnp4nagios doesn't log, and says permission denied

Summary: Package pnp4nagios doesn't log, and says permission denied

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	6.4
Assignee:	Lukas Vrabec
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-05 11:18 UTC by Geert Booster
Modified:	2014-10-27 22:58 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-27 22:58:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Geert Booster 2012-04-05 11:18:09 UTC

Description of problem: After installing the package, the package won't work. When I enable debug logging in process_perfdata.cfg, it seems to not log any info to /var/log/pnp4nagios/perfdata.log

When I'm looking in the config code, I see /var/log/pnp4nagios//perfdata.log. Why is the double slash needed? (//) When I change this to /var/log/pnp4nagios/perfdata.log, the debug logging seems to work.

The debug logging is telling me it can't create directories in /var/lib/pnp4nagios/ (/var/lib/pnp4nagios//localhost, again the double slash), but the ownerships for /var/lib/pnp4nagios are ok: nagios:nagios; Even with mode 777 it still logs permission denied.

Version-Release number of selected component (if applicable): pnp4nagios-0.6.16-1.el6.x86_64


How reproducible: Install package, enable debug log, etc.


Steps to Reproduce:
1. yum install pnp4nagios
2. configure nagios for using pnp4nagios
3. edit process_perfdata.cfg to enable debug logging
4. watch if the process creates /var/log/pnp4nagios/perfdata.log

  
Actual results:

No logging

Expected results:

Logging 

Additional info:

Comment 1 Geert Booster 2012-04-05 11:20:43 UTC

By the way: Used CentOS 6.2.

Comment 2 Jan ONDREJ 2012-04-05 11:32:16 UTC

Even if I can fix these doble slashes, in Linux double slashes should be ignored. For example try this:

  touch //tmp///test

Will /tmp/test exist?

Do you have some other security enhancements like selinux or apparmour?

Comment 3 Geert Booster 2012-04-05 11:42:44 UTC

I am aware of the ignores of //, so I was thinking about selinux too after submitting this bug.

Tested it with disabled selinux, works indeed.

Still, it seems weird to me, that it does create /var/log/pnp4nagios/perfdata.log when using /var/log/pnp4nagios/perfdata.log in LOG_FILE instead of //perfdata.log.

So, the feature request is to make pnp4nagios selinux ready?

Comment 4 Jan ONDREJ 2012-04-05 11:50:03 UTC

Am I undestand properly, that with selinux disabled this is not a bug?

Can you try this build, if it's better?
  http://koji.fedoraproject.org/koji/buildinfo?buildID=311795

Comment 5 Geert Booster 2012-04-05 11:56:57 UTC

Without selinux, everything is working fine. 
Shall I try the new build with selinux in enforcing mode? Or are we sure that we need to specify selinux rules to let pnp4nagios work?

Comment 6 Jan ONDREJ 2012-04-05 18:22:08 UTC

(In reply to comment #5)
> Without selinux, everything is working fine. 
> Shall I try the new build with selinux in enforcing mode?

Yes, sure. This build fixes double slash paths only.

> Or are we sure that we need to specify selinux rules to let pnp4nagios work?

If this update will not work, we can try to change component of this bug to selinux-policy-targeted.

Comment 7 Geert Booster 2012-04-11 11:25:32 UTC

(In reply to comment #6)
> (In reply to comment #5)
> > Or are we sure that we need to specify selinux rules to let pnp4nagios work?
> 
> If this update will not work, we can try to change component of this bug to
> selinux-policy-targeted.

Tried the new build, double slashes are indeed fixed, but in selinux enforcing mode, it look likes the system doesn't write any rrd files. Not fully sure, but I can't rebuild my environment to reproduce it on this system, and I don't actually have a virtual dev/test machine with CentOS 6 in my own lab. 

I will test it again in my lab environment when possible, but I think we can change this bug to a feature request, to fix selinux-policy-targeted rules, or to document this pnp4nagios version doesn't work really well with selinux in enforcing mode.

Comment 8 Jan ONDREJ 2013-07-03 06:45:12 UTC

If you consider that this is a selinux-policy bug, please change product to RHEL6 and component to selinux-policy.

Comment 9 Geert Booster 2013-07-12 10:01:14 UTC

Can't find selinux-policy in the RHEL6 list, I'm sorry

Comment 11 Miroslav Grepl 2013-07-16 13:09:13 UTC

Yes, we need to add a support for pnp4nagios. Could you attach AVC msgs which you are getting? And also

# ps -efZ |grep initrc

Comment 13 Geert Booster 2014-10-08 05:58:33 UTC

I am sorry, I didn't reproduce the problem in 2013, because we did choose to turn selinux off on this backend machine. 

I am not sure if pnp4nagios support is implemented yet, but it is a bit difficult for me to reproduce this setup...

Note You need to log in before you can comment on or make changes to this bug.