I am currently trying to setup the ‘nconf’ package (http://www.nconf.org/dokuwiki/doku.php); a configuration generator for Nagios/Icinga. This is essentially a PHP/MySQL application which provides a GUI to create and deploy configuration files – we use it to manage Icinga configurations. One of the capabilities this tool has is to automatically reload/restart Icinga after deploying a new config. I’m struggling to get this part working in a sensible way with SELinux in enforcing mode. Typically, everything works in permissive mode. System is CentOS 6.5 with selinux-policy-targeted-3.7.19-231.el6_5.3.noarch Nconf is configured to call "/usr/bin/sudo /etc/init.d/icinga reload" Currently I have the following in /etc/sudoers: Defaults:apache !requiretty apache ALL=(root) NOPASSWD: /etc/init.d/icinga reload The CGI script which calls this command is set with the httpd_sys_script_exec_t type. The target directory for the configuration files (/etc/icinga/nconf) is set to public_content_rw_t Execution of this script works up to a point; configuration file deployment works but restarting the service does not. In the web interface we see the following: sudo: unable to stat /var/db/sudo: Permission denied We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. sudo: no tty present and no askpass program specified We see the following denies in the audit.log: type=AVC msg=audit(1401963326.235:38): avc: denied { sys_ptrace } for pid=1500 comm="sudo" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability type=AVC msg=audit(1401963326.237:39): avc: denied { getattr } for pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401963326.238:40): avc: denied { getattr } for pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401963326.238:41): avc: denied { getattr } for pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401963326.239:42): avc: denied { getattr } for pid=1500 comm="sudo" path="/var/db/sudo" dev=dm-4 ino=259 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sudo_db_t:s0 tclass=dir type=AVC msg=audit(1401963326.255:46): avc: denied { getattr } for pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401963326.255:47): avc: denied { getattr } for pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401963326.256:48): avc: denied { getattr } for pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file type=AVC msg=audit(1401963326.257:49): avc: denied { getattr } for pid=1506 comm="sudo" path="/var/db/sudo" dev=dm-4 ino=259 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sudo_db_t:s0 tclass=dir audit2allow suggests the use of the following: allow httpd_t initrc_exec_t:file getattr; allow httpd_t self:capability sys_ptrace; allow httpd_t sudo_db_t:dir getattr; Is this a sensible fix or is there a better way to approach this issue? Regards, Mark. -- Mark Watts Infrastructure Engineer, iSolutions University of Southampton Tel: (02380) 595788 Int: 25788 -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
