I installed nagios core and plugins for the first time, and can't get it to work with SElinux. The error in the audit log is,
type=AVC msg=audit(1441480084.865:710): avc: denied { execute } for
pid=5444 comm="httpd" name="statusjson.cgi" dev="dm-1" ino=135240040
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
System: Scientific Linux 7
Nagios: 4.1.1
I was following the instructions here
It works when SElinux is in permissive mode (setenforce 0
)
(For anyone trying to figure out how to get the error log, SELinux policy seem to have, by default, not audit the httpd exec messages. I rebuilt the SELinux policy to enable all audit messages according to this article
#semodule --disable_dontaudit --build
and looked at the log using
#sealert -a /var/log/audit/audit.log > auditlog.log
Also, following the suggestions by sealert did not work for me)
Best Answer
So changing the security context on the CGI scripts to
httpd_sys_script_exec_t
seem to have worked. Eventhough I am not sure if this is the desired solution.More info: https://fedoraproject.org/wiki/SELinux/apache
Note that
chcon
changes context only temporarily; if the filesystem is relabeled orrestorecon
is run, the context will revert to the default type. To change the context permanently, run: