SELINUX=Enforcing does not allow nagios to work properly

Support for security such as Firewalls and securing linux
Post Reply
bluemind2005
Posts: 20
Joined: 2014/12/20 09:25:03

SELINUX=Enforcing does not allow nagios to work properly

Post by bluemind2005 » 2016/07/12 01:58:33

Hello All,

I have installed Nagios Core and everything is well as per documentation of Nagios. I have SELINUX enabled and Nagios gives an error when I reschedule an event from UI.

I get the error as below:

Code: Select all

Error: Could not stat() command file '/usr/local/nagios/var/rw/nagios.cmd'!

The external command file may be missing, Nagios may not be running, and/or Nagios may not be checking external commands.

An error occurred while attempting to commit your command for processing.
File permissions as below:

Code: Select all

[root@puppet local]# ls -l /usr/local/nagios/var/rw/nagios.cmd 
prw-rw----. 1 nagios nagcmd 0 Jul  9 19:43 /usr/local/nagios/var/rw/nagios.cmd
[root@puppet local]# ls -l /usr/local/nagios/var/rw/
total 0
prw-rw----. 1 nagios nagcmd 0 Jul  9 19:43 nagios.cmd
srw-rw----. 1 nagios nagcmd 0 Jul  9 19:43 nagios.qh
[root@puppet local]# ls -ld /usr/local/nagios/var/rw/
drwxrwsr-x. 2 nagios nagcmd 4096 Jul  9 19:43 /usr/local/nagios/var/rw/
[root@puppet local]# grep nag /etc/group
nagios:x:492:nagios
nagcmd:x:501:apache
[root@puppet local]# 
and cgi.cfg file is as below:

Code: Select all

[root@puppet etc]# cat cgi.cfg |grep authorized
authorized_for_system_information=nagios
authorized_for_configuration_information=nagios
authorized_for_system_commands=nagios
authorized_for_all_services=nagios
authorized_for_all_hosts=nagios
authorized_for_all_service_commands=nagios
authorized_for_all_host_commands=nagios
#authorized_for_read_only=user1,user2
[root@puppet etc]# 
There is an article (https://fportase.wordpress.com/selinux- ... x-enabled/ )and in general talk that there is a bug in SELINUX 6.X is that true? secondly is there any patch developed to re-mediate if there is a bug?

My OS version is CentOS 6.8

Code: Select all

[root@puppet /]# getenforce
Enforcing
[root@puppet /]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
[root@puppet 

mghe
Posts: 766
Joined: 2015/11/24 12:04:43
Location: Katowice, Poland

Re: SELINUX=Enforcing does not allow nagios to work properly

Post by mghe » 2016/07/12 08:48:53

Could you show tail of audit log after try start nagios?

/var/log/audit/audit.log

bluemind2005
Posts: 20
Joined: 2014/12/20 09:25:03

Re: SELINUX=Enforcing does not allow nagios to work properly

Post by bluemind2005 » 2016/07/12 09:20:45

Hi there,

I restarted nagios and httpd but had no messages coming in audit file. When I tried to simulate the problem , I could see messages in audit file which is give below.

Waiting for further steps of actions for resolution:

Code: Select all

type=AVC msg=audit(1468315081.800:1013): avc:  denied  { getattr } for  pid=13932 comm="cmd.cgi" path="/usr/local/nagios/var/rw/nagios.cmd" dev=dm-0 ino=1194527 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1468315081.800:1013): arch=c000003e syscall=4 success=no exit=-13 a0=64a400 a1=7ffd166ffd70 a2=7ffd166ffd70 a3=0 items=0 ppid=13825 pid=13932 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="cmd.cgi" exe="/usr/local/nagios/sbin/cmd.cgi" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



type=AVC msg=audit(1468315137.160:1014): avc:  denied  { getattr } for  pid=13952 comm="cmd.cgi" path="/usr/local/nagios/var/rw/nagios.cmd" dev=dm-0 ino=1194527 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1468315137.160:1014): arch=c000003e syscall=4 success=no exit=-13 a0=64a400 a1=7ffc1e791ec0 a2=7ffc1e791ec0 a3=0 items=0 ppid=13820 pid=13952 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="cmd.cgi" exe="/usr/local/nagios/sbin/cmd.cgi" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
P.S: I ran this command but had no charm after nagios and httpd restart

Code: Select all

chcon -R -t httpd_sys_script_rw_t /usr/local/nagios/var/rw

mghe
Posts: 766
Joined: 2015/11/24 12:04:43
Location: Katowice, Poland

Re: SELINUX=Enforcing does not allow nagios to work properly

Post by mghe » 2016/07/12 09:47:01

semanage fcontext -a -t public_content_rw_t '/usr/local/nagios/var/rw(/.*)?'

restorecon -rv '/usr/local/nagios/var/rw/'


<- or public_content_t check it.



more info:

https://access.redhat.com/documentation ... vices.html

bluemind2005
Posts: 20
Joined: 2014/12/20 09:25:03

Re: SELINUX=Enforcing does not allow nagios to work properly

Post by bluemind2005 » 2016/07/12 12:26:46

Thanks for that , but it is still not working.

Code: Select all

type=AVC msg=audit(1468326292.684:75): avc:  denied  { getattr } for  pid=4395 comm="cmd.cgi" path="/usr/local/nagios/var/rw/nagios.cmd" dev=dm-0 ino=1194524 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1468326292.684:75): arch=c000003e syscall=4 success=no exit=-13 a0=64a400 a1=7ffc815d87f0 a2=7ffc815d87f0 a3=0 items=0 ppid=3065 pid=4395 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cmd.cgi" exe="/usr/local/nagios/sbin/cmd.cgi" subj=system_u:system_r:httpd_t:s0 key=(null)

Interesting thing is there is no process with pid 4395

Code: Select all

[root@puppet ~]# ps 4395
  PID TTY      STAT   TIME COMMAND
[root@puppet ~]# 
I tried semanager with r as well as rw.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELINUX=Enforcing does not allow nagios to work properly

Post by TrevorH » 2016/07/12 13:23:45

Or you could install nagios from packages in EPEL which come with the right selinux policies already set up and ready to work. You're finding the fun of doing source installs the hard way. Or, better still, dump nagios and use icinga or icinga2 - icinga is fork of nagios and icinga2 is a rewrite of that adding massive performance benefits. You can still use nagios NRPE on remote servers and use icinga for the server.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

bluemind2005
Posts: 20
Joined: 2014/12/20 09:25:03

Re: SELINUX=Enforcing does not allow nagios to work properly

Post by bluemind2005 » 2016/07/12 14:42:38

I did read your post wrote which you wrote a while back which suggest to install using yum package. I didn't then as it uses old version of nagios 3.5 if I am not wrong and if you use from compilation method you get the latest which is 4.1.1.

I saw another good artcle:
http://markelov.org/wiki/index.php/Nagios_and_SELinux

Apparently that doesn't work either

I 'm happy to use from package but some how compiling from source gives me more fun. Thanks for the recommendation, I shall it to my list :):) Got to love learning :):)

Post Reply