On Thu, 2007-08-30 at 12:00 -0400,
fedora-selinux-list-request(a)redhat.com wrote:
Send fedora-selinux-list mailing list submissions to
fedora-selinux-list(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
or, via email, send a message with subject or body 'help' to
fedora-selinux-list-request(a)redhat.com
You can reach the person managing the list at
fedora-selinux-list-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."
Today's Topics:
1. Re: Nagios Web Interface and SELinux (Michael Thomas)
----------------------------------------------------------------------
Message: 1
Date: Wed, 29 Aug 2007 15:37:18 -0700
From: Michael Thomas <wart(a)kobold.org>
Subject: Re: Nagios Web Interface and SELinux
To: Daniel J Walsh <dwalsh(a)redhat.com>
Cc: fedora-selinux-list(a)redhat.com
Message-ID: <46D5F51E.20206(a)kobold.org>
Content-Type: text/plain; charset=ISO-8859-1
Daniel J Walsh wrote:
> Ryan Skadberg wrote:
>> I have been trying to get nagios up and running on 2 different
>> machines. One running FC5 and one running FC6. Nagios itself starts
>> up fine, but the web interface fails miserably.
>>
>> When looking at /var/log/messages, I see things like:
>> Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied
>> { execute_no_trans } for pid=22237 comm="httpd"
name="tac.cgi"
>> dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>>
> Where is this file located? Looks like this needs a context like
> httpd_sys_content_t or httpd_sys_script_t.
>
>
> chcon -R -t httpd_sys_content_t PATH_TO_DIR
I just ran into the same problem on EPEL-5. It appears that the path
for the nagios cgi scripts is wrong in
/etc/selinux/targeted/contexts/files/file_contexts:
# grep nagios /etc/selinux/targeted/contexts/files/file_contexts
/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t:s0
[...]
This should be:
/usr/lib(64)?/nagios/cgi-bin/.+ --
--Wart
------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
End of fedora-selinux-list Digest, Vol 42, Issue 32
***************************************************
Hi, i have installed nagios on fedora 6, and i have not problems with
selinux there.
I can tell you selinux contexts for some needed file, it looks work
fine. i don't get audit messages.
1. /etc/nagio - system_u:object_r:nagios_etc_t
2. [anebi@asgard ~]$ ls -Z /etc/nagios/
-rw-rw-r-- root root system_u:object_r:nagios_etc_t cgi.cfg
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t commands.cfg
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t
contactgroups.cfg
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t contacts.cfg
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t
hostgroups.cfg
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t hosts.cfg
-rw-r--r-- apache apache system_u:object_r:nagios_etc_t
htpasswd.users
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t nagios.cfg
-rw-r--r-- nagios nagios system_u:object_r:nrpe_etc_t nrpe.cfg
drwxr-x--- root nagios system_u:object_r:nagios_etc_t private
drw-r--r-- nagios nagios system_u:object_r:nagios_etc_t sample
drwxr-xr-x nagios nagios system_u:object_r:nagios_etc_t services
-rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t
timeperiods.cfg
3. [anebi@asgard ~]$ ls -Zd /usr/share/nagios/
drwxr-xr-x root root
system_u:object_r:usr_t /usr/share/nagios/
4. [anebi@asgard ~]$ ls -Z /usr/share/nagios/
drwxr-xr-x root root system_u:object_r:usr_t html
5. [anebi@asgard ~]$ ls -Z /usr/share/nagios/html/
drwxr-xr-x root root system_u:object_r:usr_t contexthelp
drwxr-xr-x root root system_u:object_r:usr_t docs
drwxr-xr-x root root system_u:object_r:usr_t images
-rw-r--r-- root root system_u:object_r:usr_t index.html
-rw-r--r-- root root system_u:object_r:usr_t main.html
drwxr-xr-x root root system_u:object_r:usr_t media
-rw-r--r-- root root system_u:object_r:usr_t robots.txt
-rw-r--r-- root root system_u:object_r:usr_t side.html
drwxr-xr-x root root system_u:object_r:usr_t ssi
drwxr-xr-x root root system_u:object_r:usr_t stylesheets
6. [anebi@asgard ~]$ ls -Zd /usr/lib64/nagios/
drwxr-xr-x root root
system_u:object_r:lib_t /usr/lib64/nagios/
7. [anebi@asgard ~]$ ls -Z /usr/lib64/nagios/
drwxr-xr-x root root system_u:object_r:lib_t cgi-bin
drwxr-xr-x root root system_u:object_r:bin_t plugins
8. [anebi@asgard ~]$ ls -Z /usr/lib64/nagios/cgi-bin/
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t avail.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t cmd.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t config.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t extinfo.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t histogram.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t history.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t
notifications.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t outages.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t showlog.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t status.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statusmap.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statuswml.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statuswrl.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t summary.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t tac.cgi
-rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t trends.cgi
9. [anebi@asgard ~]$ ls -Z /usr/lib64/nagios/plugins/
-rwxr-xr-x root root system_u:object_r:bin_t check_ackpoller
lrwxrwxrwx root root system_u:object_r:bin_t check_clamd ->
check_tcp
-rwsr-x--- root nagios system_u:object_r:bin_t check_dhcp
-rwxr-xr-x root root system_u:object_r:bin_t check_disk
lrwxrwxrwx root root system_u:object_r:bin_t check_ftp ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_http
-rwsr-xr-x root root system_u:object_r:bin_t check_ide_smart
lrwxrwxrwx root root system_u:object_r:bin_t check_imap ->
check_tcp
lrwxrwxrwx root root system_u:object_r:bin_t check_jabber ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t
check_linux_raid
-rwxr-xr-x root root system_u:object_r:bin_t check_load
-rwxr-xr-x root root system_u:object_r:bin_t check_nagios
lrwxrwxrwx root root system_u:object_r:bin_t check_nntp ->
check_tcp
lrwxrwxrwx root root system_u:object_r:bin_t check_nntps ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_nrpe
-rwxr-xr-x root root system_u:object_r:bin_t check_ping
lrwxrwxrwx root root system_u:object_r:bin_t check_pop ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_sensors
lrwxrwxrwx root root system_u:object_r:bin_t check_simap ->
check_tcp
lrwxrwxrwx root root system_u:object_r:bin_t check_spop ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_ssh
lrwxrwxrwx root root system_u:object_r:bin_t check_ssmtp ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_tcp
lrwxrwxrwx root root system_u:object_r:bin_t check_udp ->
check_tcp
-rwxr-xr-x root root system_u:object_r:bin_t check_users
drwxr-xr-x root root system_u:object_r:bin_t eventhandlers
-rwxr-xr-x root root system_u:object_r:bin_t negate
-rwxr-xr-x root root system_u:object_r:bin_t
notify_by_reliable
-rwxr-xr-x root root system_u:object_r:bin_t urlize
-rw-r--r-- root root system_u:object_r:bin_t utils.pm
-rwxr-xr-x root root system_u:object_r:bin_t utils.sh
10. [anebi@asgard ~]$ ls -Z /var/log/nagios/
drwxr-xr-x nagios nagios system_u:object_r:nagios_log_t archives
-rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t comments.dat
-rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t downtime.dat
-rw-r--r-- nagios nagios system_u:object_r:nagios_log_t nagios.log
-rw-r--r-- nagios nagios system_u:object_r:nagios_log_t objects.cache
-rw------- nagios nagios system_u:object_r:nagios_log_t retention.dat
-rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t status.dat
11. [anebi@asgard ~]$ ls -Z /var/run/nagios.pid
-rw-r--r-- nagios nagios
system_u:object_r:initrc_var_run_t /var/run/nagios.pid
I'm not sure about this, i think i had messages for this
Now our systems are running on permissive mode.
I hope that, this info can help you.
Regards, Ali Nebi!