Nagios Selinux contexts on RHEL7 equivelant

nagiosselinux

I installed nagios core and plugins for the first time, and can't get it to work with SElinux. The error in the audit log is,

type=AVC msg=audit(1441480084.865:710): avc:  denied  { execute } for 
pid=5444 comm="httpd" name="statusjson.cgi" dev="dm-1" ino=135240040 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

System: Scientific Linux 7
Nagios: 4.1.1

I was following the instructions here

It works when SElinux is in permissive mode (setenforce 0)

(For anyone trying to figure out how to get the error log, SELinux policy seem to have, by default, not audit the httpd exec messages. I rebuilt the SELinux policy to enable all audit messages according to this article

#semodule --disable_dontaudit --build

and looked at the log using

#sealert -a /var/log/audit/audit.log > auditlog.log

Also, following the suggestions by sealert did not work for me)

Best Answer

So changing the security context on the CGI scripts to httpd_sys_script_exec_t seem to have worked. Eventhough I am not sure if this is the desired solution.

chcon -R -t httpd_sys_script_exec_t /usr/local/nagios/sbin

More info: https://fedoraproject.org/wiki/SELinux/apache

Note that chcon changes context only temporarily; if the filesystem is relabeled or restorecon is run, the context will revert to the default type. To change the context permanently, run:

semanage fcontext -a -t httpd_sys_script_exec_t /usr/local/nagios/sbin
restorecon -v /usr/local/nagios/sbin

Best Answer

Related Solutions

Centos – rsyslog-thesql on CentOS 5.3 does not have permission to access the thesql.sock

SELinux AVC denies at boot

Related Topic