On Thu, 2007-08-30 at 12:00 -0400, fedora-selinux-list-request@xxxxxxxxxx wrote: > Send fedora-selinux-list mailing list submissions to > fedora-selinux-list@xxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > or, via email, send a message with subject or body 'help' to > fedora-selinux-list-request@xxxxxxxxxx > > You can reach the person managing the list at > fedora-selinux-list-owner@xxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of fedora-selinux-list digest..." > > > Today's Topics: > > 1. Re: Nagios Web Interface and SELinux (Michael Thomas) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 29 Aug 2007 15:37:18 -0700 > From: Michael Thomas <wart@xxxxxxxxxx> > Subject: Re: Nagios Web Interface and SELinux > To: Daniel J Walsh <dwalsh@xxxxxxxxxx> > Cc: fedora-selinux-list@xxxxxxxxxx > Message-ID: <46D5F51E.20206@xxxxxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1 > > Daniel J Walsh wrote: > > Ryan Skadberg wrote: > >> I have been trying to get nagios up and running on 2 different > >> machines. One running FC5 and one running FC6. Nagios itself starts > >> up fine, but the web interface fails miserably. > >> > >> When looking at /var/log/messages, I see things like: > >> Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied > >> { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" > >> dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 > >> tcontext=system_u:object_r:lib_t:s0 tclass=file > >> > > Where is this file located? Looks like this needs a context like > > httpd_sys_content_t or httpd_sys_script_t. > > > > > > chcon -R -t httpd_sys_content_t PATH_TO_DIR > > I just ran into the same problem on EPEL-5. It appears that the path > for the nagios cgi scripts is wrong in > /etc/selinux/targeted/contexts/files/file_contexts: > > # grep nagios /etc/selinux/targeted/contexts/files/file_contexts > /usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t:s0 > [...] > > This should be: > > /usr/lib(64)?/nagios/cgi-bin/.+ -- > > --Wart > > > > ------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > End of fedora-selinux-list Digest, Vol 42, Issue 32 > *************************************************** Hi, i have installed nagios on fedora 6, and i have not problems with selinux there. I can tell you selinux contexts for some needed file, it looks work fine. i don't get audit messages. 1. /etc/nagio - system_u:object_r:nagios_etc_t 2. [anebi@asgard ~]$ ls -Z /etc/nagios/ -rw-rw-r-- root root system_u:object_r:nagios_etc_t cgi.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t commands.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t contactgroups.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t contacts.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t hostgroups.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t hosts.cfg -rw-r--r-- apache apache system_u:object_r:nagios_etc_t htpasswd.users -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t nagios.cfg -rw-r--r-- nagios nagios system_u:object_r:nrpe_etc_t nrpe.cfg drwxr-x--- root nagios system_u:object_r:nagios_etc_t private drw-r--r-- nagios nagios system_u:object_r:nagios_etc_t sample drwxr-xr-x nagios nagios system_u:object_r:nagios_etc_t services -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t timeperiods.cfg 3. [anebi@asgard ~]$ ls -Zd /usr/share/nagios/ drwxr-xr-x root root system_u:object_r:usr_t /usr/share/nagios/ 4. [anebi@asgard ~]$ ls -Z /usr/share/nagios/ drwxr-xr-x root root system_u:object_r:usr_t html 5. [anebi@asgard ~]$ ls -Z /usr/share/nagios/html/ drwxr-xr-x root root system_u:object_r:usr_t contexthelp drwxr-xr-x root root system_u:object_r:usr_t docs drwxr-xr-x root root system_u:object_r:usr_t images -rw-r--r-- root root system_u:object_r:usr_t index.html -rw-r--r-- root root system_u:object_r:usr_t main.html drwxr-xr-x root root system_u:object_r:usr_t media -rw-r--r-- root root system_u:object_r:usr_t robots.txt -rw-r--r-- root root system_u:object_r:usr_t side.html drwxr-xr-x root root system_u:object_r:usr_t ssi drwxr-xr-x root root system_u:object_r:usr_t stylesheets 6. [anebi@asgard ~]$ ls -Zd /usr/lib64/nagios/ drwxr-xr-x root root system_u:object_r:lib_t /usr/lib64/nagios/ 7. [anebi@asgard ~]$ ls -Z /usr/lib64/nagios/ drwxr-xr-x root root system_u:object_r:lib_t cgi-bin drwxr-xr-x root root system_u:object_r:bin_t plugins 8. [anebi@asgard ~]$ ls -Z /usr/lib64/nagios/cgi-bin/ -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t avail.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t cmd.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t config.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t extinfo.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t histogram.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t history.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t notifications.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t outages.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t showlog.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t status.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statusmap.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statuswml.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statuswrl.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t summary.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t tac.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t trends.cgi 9. [anebi@asgard ~]$ ls -Z /usr/lib64/nagios/plugins/ -rwxr-xr-x root root system_u:object_r:bin_t check_ackpoller lrwxrwxrwx root root system_u:object_r:bin_t check_clamd -> check_tcp -rwsr-x--- root nagios system_u:object_r:bin_t check_dhcp -rwxr-xr-x root root system_u:object_r:bin_t check_disk lrwxrwxrwx root root system_u:object_r:bin_t check_ftp -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_http -rwsr-xr-x root root system_u:object_r:bin_t check_ide_smart lrwxrwxrwx root root system_u:object_r:bin_t check_imap -> check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_jabber -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_linux_raid -rwxr-xr-x root root system_u:object_r:bin_t check_load -rwxr-xr-x root root system_u:object_r:bin_t check_nagios lrwxrwxrwx root root system_u:object_r:bin_t check_nntp -> check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_nntps -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_nrpe -rwxr-xr-x root root system_u:object_r:bin_t check_ping lrwxrwxrwx root root system_u:object_r:bin_t check_pop -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_sensors lrwxrwxrwx root root system_u:object_r:bin_t check_simap -> check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_spop -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_ssh lrwxrwxrwx root root system_u:object_r:bin_t check_ssmtp -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_udp -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_users drwxr-xr-x root root system_u:object_r:bin_t eventhandlers -rwxr-xr-x root root system_u:object_r:bin_t negate -rwxr-xr-x root root system_u:object_r:bin_t notify_by_reliable -rwxr-xr-x root root system_u:object_r:bin_t urlize -rw-r--r-- root root system_u:object_r:bin_t utils.pm -rwxr-xr-x root root system_u:object_r:bin_t utils.sh 10. [anebi@asgard ~]$ ls -Z /var/log/nagios/ drwxr-xr-x nagios nagios system_u:object_r:nagios_log_t archives -rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t comments.dat -rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t downtime.dat -rw-r--r-- nagios nagios system_u:object_r:nagios_log_t nagios.log -rw-r--r-- nagios nagios system_u:object_r:nagios_log_t objects.cache -rw------- nagios nagios system_u:object_r:nagios_log_t retention.dat -rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t status.dat 11. [anebi@asgard ~]$ ls -Z /var/run/nagios.pid -rw-r--r-- nagios nagios system_u:object_r:initrc_var_run_t /var/run/nagios.pid I'm not sure about this, i think i had messages for this Now our systems are running on permissive mode. I hope that, this info can help you. Regards, Ali Nebi! -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
