On 06/05/2014 12:33 PM, Watts M.R. wrote:
I am currently trying to setup the ‘nconf’ package (http://www.nconf.org/dokuwiki/doku.php); a configuration generator for Nagios/Icinga.
This is essentially a PHP/MySQL application which provides a GUI to create and deploy configuration files – we use it to manage Icinga configurations.
One of the capabilities this tool has is to automatically reload/restart Icinga after deploying a new config.
I’m struggling to get this part working in a sensible way with SELinux in enforcing mode.
Typically, everything works in permissive mode.
System is CentOS 6.5 with selinux-policy-targeted-3.7.19-231.el6_5.3.noarch
Nconf is configured to call "/usr/bin/sudo /etc/init.d/icinga reload"
Currently I have the following in /etc/sudoers:
Defaults:apache !requiretty
apache ALL=(root) NOPASSWD: /etc/init.d/icinga reload
The CGI script which calls this command is set with the httpd_sys_script_exec_t type.
The target directory for the configuration files (/etc/icinga/nconf) is set to public_content_rw_t
Execution of this script works up to a point; configuration file deployment works but restarting the service does not.
In the web interface we see the following:
sudo: unable to stat /var/db/sudo: Permission denied
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified
We see the following denies in the audit.log:
type=AVC msg=audit(1401963326.235:38): avc: denied { sys_ptrace } for pid=1500 comm="sudo" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1401963326.237:39): avc: denied { getattr } for pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.238:40): avc: denied { getattr } for pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.238:41): avc: denied { getattr } for pid=1500 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.239:42): avc: denied { getattr } for pid=1500 comm="sudo" path="/var/db/sudo" dev=dm-4 ino=259 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sudo_db_t:s0 tclass=dir
type=AVC msg=audit(1401963326.255:46): avc: denied { getattr } for pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.255:47): avc: denied { getattr } for pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.256:48): avc: denied { getattr } for pid=1506 comm="sudo" path="/etc/rc.d/init.d/icinga" dev=dm-0 ino=918346 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401963326.257:49): avc: denied { getattr } for pid=1506 comm="sudo" path="/var/db/sudo" dev=dm-4 ino=259 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sudo_db_t:s0 tclass=dir
audit2allow suggests the use of the following:
allow httpd_t initrc_exec_t:file getattr;
allow httpd_t self:capability sys_ptrace;
allow httpd_t sudo_db_t:dir getattr;
Is this a sensible fix or is there a better way to approach this issue?
Regards,
Mark.
--
Mark Watts
Infrastructure Engineer, iSolutions
University of Southampton
Tel: (02380) 595788 Int: 25788
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
Ok, the problem is we have "sudo" running in httpd_t. So if I understand
correctly you have CGI script which runs
"/usr/bin/sudo /etc/init.d/icinga reload"
right?
What does
# ls -Z PATHTO_YOUR_SCRIPT
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
