This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 810212 - Package pnp4nagios doesn't log, and says permission denied
Package pnp4nagios doesn't log, and says permission denied
Status: CLOSED DEFERRED
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
x86_64 Linux
unspecified Severity medium
: rc
: 6.4
Assigned To: Lukas Vrabec
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-05 07:18 EDT by Geert Booster
Modified: 2014-10-27 18:58 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-27 18:58:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Geert Booster 2012-04-05 07:18:09 EDT
Description of problem: After installing the package, the package won't work. When I enable debug logging in process_perfdata.cfg, it seems to not log any info to /var/log/pnp4nagios/perfdata.log

When I'm looking in the config code, I see /var/log/pnp4nagios//perfdata.log. Why is the double slash needed? (//) When I change this to /var/log/pnp4nagios/perfdata.log, the debug logging seems to work.

The debug logging is telling me it can't create directories in /var/lib/pnp4nagios/ (/var/lib/pnp4nagios//localhost, again the double slash), but the ownerships for /var/lib/pnp4nagios are ok: nagios:nagios; Even with mode 777 it still logs permission denied.

Version-Release number of selected component (if applicable): pnp4nagios-0.6.16-1.el6.x86_64


How reproducible: Install package, enable debug log, etc.


Steps to Reproduce:
1. yum install pnp4nagios
2. configure nagios for using pnp4nagios
3. edit process_perfdata.cfg to enable debug logging
4. watch if the process creates /var/log/pnp4nagios/perfdata.log

  
Actual results:

No logging

Expected results:

Logging 

Additional info:
Comment 1 Geert Booster 2012-04-05 07:20:43 EDT
By the way: Used CentOS 6.2.
Comment 2 Jan ONDREJ 2012-04-05 07:32:16 EDT
Even if I can fix these doble slashes, in Linux double slashes should be ignored. For example try this:

  touch //tmp///test

Will /tmp/test exist?

Do you have some other security enhancements like selinux or apparmour?
Comment 3 Geert Booster 2012-04-05 07:42:44 EDT
I am aware of the ignores of //, so I was thinking about selinux too after submitting this bug.

Tested it with disabled selinux, works indeed.

Still, it seems weird to me, that it does create /var/log/pnp4nagios/perfdata.log when using /var/log/pnp4nagios/perfdata.log in LOG_FILE instead of //perfdata.log.

So, the feature request is to make pnp4nagios selinux ready?
Comment 4 Jan ONDREJ 2012-04-05 07:50:03 EDT
Am I undestand properly, that with selinux disabled this is not a bug?

Can you try this build, if it's better?
  http://koji.fedoraproject.org/koji/buildinfo?buildID=311795
Comment 5 Geert Booster 2012-04-05 07:56:57 EDT
Without selinux, everything is working fine. 
Shall I try the new build with selinux in enforcing mode? Or are we sure that we need to specify selinux rules to let pnp4nagios work?
Comment 6 Jan ONDREJ 2012-04-05 14:22:08 EDT
(In reply to comment #5)
> Without selinux, everything is working fine. 
> Shall I try the new build with selinux in enforcing mode?

Yes, sure. This build fixes double slash paths only.

> Or are we sure that we need to specify selinux rules to let pnp4nagios work?

If this update will not work, we can try to change component of this bug to selinux-policy-targeted.
Comment 7 Geert Booster 2012-04-11 07:25:32 EDT
(In reply to comment #6)
> (In reply to comment #5)
> > Or are we sure that we need to specify selinux rules to let pnp4nagios work?
> 
> If this update will not work, we can try to change component of this bug to
> selinux-policy-targeted.

Tried the new build, double slashes are indeed fixed, but in selinux enforcing mode, it look likes the system doesn't write any rrd files. Not fully sure, but I can't rebuild my environment to reproduce it on this system, and I don't actually have a virtual dev/test machine with CentOS 6 in my own lab. 

I will test it again in my lab environment when possible, but I think we can change this bug to a feature request, to fix selinux-policy-targeted rules, or to document this pnp4nagios version doesn't work really well with selinux in enforcing mode.
Comment 8 Jan ONDREJ 2013-07-03 02:45:12 EDT
If you consider that this is a selinux-policy bug, please change product to RHEL6 and component to selinux-policy.
Comment 9 Geert Booster 2013-07-12 06:01:14 EDT
Can't find selinux-policy in the RHEL6 list, I'm sorry
Comment 11 Miroslav Grepl 2013-07-16 09:09:13 EDT
Yes, we need to add a support for pnp4nagios. Could you attach AVC msgs which you are getting? And also

# ps -efZ |grep initrc
Comment 13 Geert Booster 2014-10-08 01:58:33 EDT
I am sorry, I didn't reproduce the problem in 2013, because we did choose to turn selinux off on this backend machine. 

I am not sure if pnp4nagios support is implemented yet, but it is a bit difficult for me to reproduce this setup...

Note You need to log in before you can comment on or make changes to this bug.