Nagios and SELinux
From MyWiki
(rough cut. needs editing.) |
m (Protected "Nagios and SELinux" ([edit=sysop] (indefinite) [move=sysop] (indefinite))) |
Revision as of 16:32, 1 April 2010
http://blog.pas.net.au/2009/05/fighting-with-selinux-and-nagios/
[root@master ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1270138956.195:1317143): avc: denied { getattr } for pid=27998 comm="cmd.cgi" path="/usr/local/nagios/var/rw/nagios.cmd" dev=dm-0 ino=2755298 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1270138956.195:1317143): arch=c000003e syscall=4 success=no exit=-13 a0=63a920 a1=7fff110124e0 a2=7fff110124e0 a3=1 items=0 ppid=2405 pid=27998 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=37366 comm="cmd.cgi" exe="/usr/local/nagios/sbin/cmd.cgi" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
[root@master ~]# vi /tmp/audit.log
[root@master ~]# cd /tmp
[root@master tmp]# audit2allow -M NagiosRule < audit.log
- IMPORTANT ***********************
To make this policy package active, execute:
semodule -i NagiosRule.pp
[root@master tmp]# semodule -i NagiosRule.pp
Again:
[root@master tmp]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1270139184.317:1317165): avc: denied { append } for pid=28190 comm="ping" path="/usr/local/nagios/var/host-perfdata" dev=dm-0 ino=2752540 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1270139184.317:1317165): avc: denied { append } for pid=28190 comm="ping" path="/usr/local/nagios/var/service-perfdata" dev=dm-0 ino=2752541 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1270139184.317:1317165): avc: denied { read write } for pid=28190 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checkZsKj5r" dev=dm-0 ino=2755492 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1270139184.317:1317165): arch=c000003e syscall=59 success=yes exit=0 a0=1320e2a0 a1=1320e320 a2=7fffb89bb6f0 a3=0 items=0 ppid=28189 pid=28190 auid=501 uid=513 gid=513 euid=0 suid=0 fsuid=0 egid=513 sgid=513 fsgid=513 tty=(none) ses=40405 comm="ping" exe="/bin/ping" subj=user_u:system_r:ping_t:s0 key=(null) type=AVC msg=audit(1270139188.909:1317166): avc: denied { write } for pid=28195 comm="cmd.cgi" name="nagios.cmd" dev=dm-0 ino=2755298 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1270139188.909:1317166): arch=c000003e syscall=2 success=no exit=-13 a0=63a920 a1=241 a2=1b6 a3=241 items=0 ppid=2400 pid=28195 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=37366 comm="cmd.cgi" exe="/usr/local/nagios/sbin/cmd.cgi" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1270139204.042:1317167): avc: denied { append } for pid=28209 comm="ping" path="/usr/local/nagios/var/host-perfdata" dev=dm-0 ino=2752540 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1270139204.042:1317167): avc: denied { append } for pid=28209 comm="ping" path="/usr/local/nagios/var/service-perfdata" dev=dm-0 ino=2752541 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1270139204.042:1317167): avc: denied { read write } for pid=28209 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checkFCUK8v" dev=dm-0 ino=2755483 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1270139204.042:1317167): arch=c000003e syscall=59 success=yes exit=0 a0=12882a0 a1=1288330 a2=7fff5bb18830 a3=0 items=0 ppid=28208 pid=28209 auid=501 uid=513 gid=513 euid=0 suid=0 fsuid=0 egid=513 sgid=513 fsgid=513 tty=(none) ses=40405 comm="ping" exe="/bin/ping" subj=user_u:system_r:ping_t:s0 key=(null)
[root@master tmp]# vi audit2.log [root@master tmp]# audit2allow -M NagiosRule2 < audit2.log
- IMPORTANT ***********************
To make this policy package active, execute:
semodule -i NagiosRule2.pp
[root@master tmp]# semodule -i NagiosRule2.pp