bluethundr
Reputation: 1325
selinux prevents nagios config from being accessed
I'm running nagios 4 under centos 7. And everything works fine with SELinux disabled. But when I enable it, I am getting this error in the interface:
Whoops!
Error: Could not open CGI config file '/etc/nagios/cgi.cfg' for reading!
Here are some things you should check in order to resolve this error:
Make sure you've installed a CGI config file in its proper location. See the error message about for details on where the CGI is expecting to find the configuration file. A sample CGI configuration file (named cgi.cfg) can be found in the sample-config/ subdirectory of the Nagios source code distribution.
Make sure the user your web server is running as has permission to read the CGI config file.
Make sure you read the documentation on installing and configuring Nagios thoroughly before continuing. If all else fails, try sending a message to one of the mailing lists. More information can be found at https://www.nagios.org.
I tried checking audit2why to see if I can get a clue on how to handle this:
And I'm seeing this output:
type=AVC msg=audit(1444272414.200:15955): avc: denied { read } for pid=9090 comm="status.cgi" name="cgi.cfg" dev="xvda1" ino=19230613 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nagios_etc_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1444272474.545:15956): avc: denied { read } for pid=9116 comm="status.cgi" name="cgi.cfg" dev="xvda1" ino=19230613 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nagios_etc_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
And if I check audit2allow, this is what I'm seeing:
[root@monitor1:~] #grep nagios /var/log/audit/audit.log | audit2allow
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t nagios_etc_t:file { read getattr open };
#============= httpd_t ==============
allow httpd_t admin_home_t:file { write getattr open };
allow httpd_t etc_t:dir write;
allow httpd_t etc_t:file write;
allow httpd_t httpd_sys_rw_content_t:fifo_file getattr;
allow httpd_t usr_t:fifo_file { write getattr open };
But I'm not real knowledgable on SELinux. So I'm hoping I can get some advice on how to solve this problem.
Thanks
Upvotes: 2
Views: 1272
Answers (1)
Joe Young
Reputation: 5875
grep the audit.log for the word nagios and pipe it into audit2allow with the -M flag
grep nagios /var/log/audit/audit.log | audit2allow -M nagios
This should create 2 files: a type enforcement file nagios.te and a policy package file nagios.pp
Use the semodule command to load the policy package:
semodule -i nagios.pp
And you're done.
Sources:
Upvotes: 2
Related Questions
- Config file Error to start Nagios service
- Nagios - HTTP WARNING: HTTP/1.1 403 Forbidden
- Nagios Error : /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
- Unable to access the Nagios web interface in Localhost
- You don't have permission to access /nagios/ on this server
- Nagios - Access Forbidden 403
- Gunicorn Nginx Permission denied while connecting to upstream
- 403 Forbidden and 13 Permission Denied
- Nagios is active on CLI but not running on Web Interface
- Perl script can't open file owned by root when called from process (Nagios)