Allowing httpd restart a service

Thu Jun 5 10:33:16 UTC 2014

I am currently trying to setup the ‘nconf’ package (http://www.nconf.org/dokuwiki/doku.php); a configuration generator for Nagios/Icinga.
This is essentially a PHP/MySQL application which provides a GUI to create and deploy configuration files – we use it to manage Icinga configurations.

One of the capabilities this tool has is to automatically reload/restart Icinga after deploying a new config.
I’m struggling to get this part working in a sensible way with SELinux in enforcing mode.
Typically, everything works in permissive mode.

System is CentOS 6.5 with selinux-policy-targeted-3.7.19-231.el6_5.3.noarch

Nconf is configured to call "/usr/bin/sudo /etc/init.d/icinga reload"

Currently I have the following in /etc/sudoers:

Defaults:apache !requiretty
apache ALL=(root) NOPASSWD: /etc/init.d/icinga reload

The CGI script which calls this command is set with the httpd_sys_script_exec_t type.
The target directory for the configuration files (/etc/icinga/nconf) is set to public_content_rw_t

Execution of this script works up to a point; configuration file deployment works but restarting the service does not.
In the web interface we see the following:

sudo: unable to stat /var/db/sudo: Permission denied

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified

We see the following denies in the audit.log:

type=AVC msg=audit(1401963326.235:38): avc:  denied  { sys_ptrace } for  pid=1500 comm="sudo" capability=19  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1401963326.237:39): avc:  denied  { getattr } for  pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.238:40): avc:  denied  { getattr } for  pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.238:41): avc:  denied  { getattr } for  pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.239:42): avc:  denied  { getattr } for  pid=1500 comm="sudo" path="/var/db/sudo" dev=dm-4 ino=259 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sudo_db_t:s0 tclass=dir
type=AVC msg=audit(1401963326.255:46): avc:  denied  { getattr } for  pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.255:47): avc:  denied  { getattr } for  pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.256:48): avc:  denied  { getattr } for  pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.257:49): avc:  denied  { getattr } for  pid=1506 comm="sudo" path="/var/db/sudo" dev=dm-4 ino=259 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sudo_db_t:s0 tclass=dir

audit2allow suggests the use of the following:

allow httpd_t initrc_exec_t:file getattr;
allow httpd_t self:capability sys_ptrace;
allow httpd_t sudo_db_t:dir getattr;

Is this a sensible fix or is there a better way to approach this issue?

Regards,

Mark.

--
Mark Watts
Infrastructure Engineer, iSolutions
University of Southampton
Tel: (02380) 595788 Int: 25788