Allowing httpd restart a service

Miroslav Grepl mgrepl at redhat.com
Fri Jun 6 10:23:03 UTC 2014 

On 06/05/2014 12:33 PM, Watts M.R. wrote:
> I am currently trying to setup the ‘nconf’ package (http://www.nconf.org/dokuwiki/doku.php); a configuration generator for Nagios/Icinga.
> This is essentially a PHP/MySQL application which provides a GUI to create and deploy configuration files – we use it to manage Icinga configurations.
>
> One of the capabilities this tool has is to automatically reload/restart Icinga after deploying a new config.
> I’m struggling to get this part working in a sensible way with SELinux in enforcing mode.
> Typically, everything works in permissive mode.
>
> System is CentOS 6.5 with selinux-policy-targeted-3.7.19-231.el6_5.3.noarch
>
> Nconf is configured to call "/usr/bin/sudo /etc/init.d/icinga reload"
>
> Currently I have the following in /etc/sudoers:
>
> Defaults:apache !requiretty
> apache ALL=(root) NOPASSWD: /etc/init.d/icinga reload
>
> The CGI script which calls this command is set with the httpd_sys_script_exec_t type.
> The target directory for the configuration files (/etc/icinga/nconf) is set to public_content_rw_t
>
> Execution of this script works up to a point; configuration file deployment works but restarting the service does not.
> In the web interface we see the following:
>
> sudo: unable to stat /var/db/sudo: Permission denied
>
> We trust you have received the usual lecture from the local System
> Administrator. It usually boils down to these three things:
>
>      #1) Respect the privacy of others.
>      #2) Think before you type.
>      #3) With great power comes great responsibility.
>
> sudo: no tty present and no askpass program specified
>
> We see the following denies in the audit.log:
>
> type=AVC msg=audit(1401963326.235:38): avc:  denied  { sys_ptrace } for  pid=1500 comm="sudo" capability=19  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
> type=AVC msg=audit(1401963326.237:39): avc:  denied  { getattr } for  pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
> type=AVC msg=audit(1401963326.238:40): avc:  denied  { getattr } for  pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
> type=AVC msg=audit(1401963326.238:41): avc:  denied  { getattr } for  pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
> type=AVC msg=audit(1401963326.239:42): avc:  denied  { getattr } for  pid=1500 comm="sudo" path="/var/db/sudo" dev=dm-4 ino=259 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sudo_db_t:s0 tclass=dir
> type=AVC msg=audit(1401963326.255:46): avc:  denied  { getattr } for  pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
> type=AVC msg=audit(1401963326.255:47): avc:  denied  { getattr } for  pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
> type=AVC msg=audit(1401963326.256:48): avc:  denied  { getattr } for  pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
> type=AVC msg=audit(1401963326.257:49): avc:  denied  { getattr } for  pid=1506 comm="sudo" path="/var/db/sudo" dev=dm-4 ino=259 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sudo_db_t:s0 tclass=dir
>
> audit2allow suggests the use of the following:
>
> allow httpd_t initrc_exec_t:file getattr;
> allow httpd_t self:capability sys_ptrace;
> allow httpd_t sudo_db_t:dir getattr;
>
> Is this a sensible fix or is there a better way to approach this issue?
>
> Regards,
>
> Mark.
>
> --
> Mark Watts
> Infrastructure Engineer, iSolutions
> University of Southampton
> Tel: (02380) 595788 Int: 25788
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Ok, the problem is we have "sudo" running in httpd_t. So if I understand 
correctly you have CGI script which runs

"/usr/bin/sudo /etc/init.d/icinga reload"

right?

What does

# ls -Z PATHTO_YOUR_SCRIPT

More information about the selinux mailing list