Hello - I am having trouble with apache being denied access to a Nagios file. In the Nagios web UI I get this error:
[quote]
"Error: Could not open command file '/usr/local/nagios/var/rw/nagios.cmd' for update!
The permissions on the external command file and/or directory may be incorrect. Read the FAQs on how to setup proper permissions.
An error occurred while attempting to commit your command for processing.
Return from whence you came"
[/quote]
If I become the apache user I can see that file and the touch command works on it with no errors (it has rw access).
When that error occurs from the web UI I do see the following get logged in the audit.log:
[quote]
type=AVC msg=audit(1347484315.707:232): avc: denied { write } for pid=2484 comm="cmd.cgi" name="nagios.cmd" dev=dm-0 ino=262856 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1347484315.707:232): arch=c000003e syscall=2 success=no exit=-13 a0=642080 a1=241 a2=1b6 a3=0 items=0 ppid=2379 pid=2484 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="cmd.cgi" exe="/usr/local/nagios/sbin/cmd.cgi" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
[/quote]
I have tried using audit2allow which creates:
[code]
module nag_apache 1.0;
require {
type httpd_t;
type usr_t;
type ping_t;
class file { read write execute_no_trans };
}
#============= httpd_t ==============
allow httpd_t usr_t:file execute_no_trans;
#============= ping_t ==============
allow ping_t usr_t:file { read write };
[/code]
I have installed the .pp file that was created as well and can see it with semodule -l.
Yet the error doesn't go away? I'm going to put SELinux in permissive mode for the time being, any ideas as to why it's acting this way? I'd rather be able to leave it enabled but I am stuck.
Thanks!
SELinux issue with apache and nagios
SELinux issue with apache and nagios
That looks like you've done a source install of Nagios? There are packaged versions of it available in various repos - EPEL has 3.4.1 for CentOS 6 for example. If you install one of those then it's very likely to put files into better locations - so for example your copy is trying to write to /usr/local/nagios/var/rw/nagios.cmd and the entire /usr directory tree is likely to be treated as "special" by selinux and it will try not to allow writes there. A better place for files like that would be under the /var directory - and indeed the EPEL version creates a /var/spool/nagios/cmd directory which I suspect is intended to hold files that will be written to.
Re: SELinux issue with apache and nagios
Thanks and yes it was compiled, I was under the impression that if I later wanted to add/compile modules for Nagios I would have an easier time than using a repo install. I suppose though that with different "configure" options I could have it install to more SELinux friendly paths.
I would still like to understand how to configure SELinux to work with my current install if possible and why audit2allow isn't working.
I would still like to understand how to configure SELinux to work with my current install if possible and why audit2allow isn't working.
Re: SELinux issue with apache and nagios
In general, CentOS being a packaged based distribution, you'll find that your life will be much easier if you use packages rather than building things yourself. If you need to build something that isn't already packaged then rebuilding an existing SRPM for (say) Fedora will generate a package that you can then use on CentOS. I've been using nagios for years and I don't ever remember having to compile anything for it once installed as a package.
Re: SELinux issue with apache and nagios
Changing the context like this should get nagios external commands working:
[code]chcon -R -t httpd_sys_script_rw_t /usr/local/nagios/var/rw[/code]
[code]chcon -R -t httpd_sys_script_rw_t /usr/local/nagios/var/rw[/code]