Red Hat Bugzilla – Bug 810212
Package pnp4nagios doesn't log, and says permission denied
Last modified: 2014-10-27 18:58:43 EDT
Description of problem: After installing the package, the package won't work. When I enable debug logging in process_perfdata.cfg, it seems to not log any info to /var/log/pnp4nagios/perfdata.log
When I'm looking in the config code, I see /var/log/pnp4nagios//perfdata.log. Why is the double slash needed? (//) When I change this to /var/log/pnp4nagios/perfdata.log, the debug logging seems to work.
The debug logging is telling me it can't create directories in /var/lib/pnp4nagios/ (/var/lib/pnp4nagios//localhost, again the double slash), but the ownerships for /var/lib/pnp4nagios are ok: nagios:nagios; Even with mode 777 it still logs permission denied.
Version-Release number of selected component (if applicable): pnp4nagios-0.6.16-1.el6.x86_64
How reproducible: Install package, enable debug log, etc.
Steps to Reproduce:
1. yum install pnp4nagios
2. configure nagios for using pnp4nagios
3. edit process_perfdata.cfg to enable debug logging
4. watch if the process creates /var/log/pnp4nagios/perfdata.log
By the way: Used CentOS 6.2.
Even if I can fix these doble slashes, in Linux double slashes should be ignored. For example try this:
Will /tmp/test exist?
Do you have some other security enhancements like selinux or apparmour?
I am aware of the ignores of //, so I was thinking about selinux too after submitting this bug.
Tested it with disabled selinux, works indeed.
Still, it seems weird to me, that it does create /var/log/pnp4nagios/perfdata.log when using /var/log/pnp4nagios/perfdata.log in LOG_FILE instead of //perfdata.log.
So, the feature request is to make pnp4nagios selinux ready?
Am I undestand properly, that with selinux disabled this is not a bug?
Can you try this build, if it's better?
Without selinux, everything is working fine.
Shall I try the new build with selinux in enforcing mode? Or are we sure that we need to specify selinux rules to let pnp4nagios work?
(In reply to comment #5)
> Without selinux, everything is working fine.
> Shall I try the new build with selinux in enforcing mode?
Yes, sure. This build fixes double slash paths only.
> Or are we sure that we need to specify selinux rules to let pnp4nagios work?
If this update will not work, we can try to change component of this bug to selinux-policy-targeted.
(In reply to comment #6)
> (In reply to comment #5)
> > Or are we sure that we need to specify selinux rules to let pnp4nagios work?
> If this update will not work, we can try to change component of this bug to
Tried the new build, double slashes are indeed fixed, but in selinux enforcing mode, it look likes the system doesn't write any rrd files. Not fully sure, but I can't rebuild my environment to reproduce it on this system, and I don't actually have a virtual dev/test machine with CentOS 6 in my own lab.
I will test it again in my lab environment when possible, but I think we can change this bug to a feature request, to fix selinux-policy-targeted rules, or to document this pnp4nagios version doesn't work really well with selinux in enforcing mode.
If you consider that this is a selinux-policy bug, please change product to RHEL6 and component to selinux-policy.
Can't find selinux-policy in the RHEL6 list, I'm sorry
Yes, we need to add a support for pnp4nagios. Could you attach AVC msgs which you are getting? And also
# ps -efZ |grep initrc
I am sorry, I didn't reproduce the problem in 2013, because we did choose to turn selinux off on this backend machine.
I am not sure if pnp4nagios support is implemented yet, but it is a bit difficult for me to reproduce this setup...