SELinux issue with nagios after upgrade to Centos 4.2

John Stevens jstevensog at gmail.com
Thu Oct 20 11:38:47 CEST 2005

Previous message: About Nagios 2.0
Next message: Problem with download of nrpe for Solaris 8 and 9
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi All,
Just in case this affects others on the list, I thought I would drop a line.
I have a Centos 4 system running Nagios 1.3 as installed from the dag
repository rpm. It has been working fine for a long time now (since I sorted
out some typos in the config:( ). Last week I upgraded to the latest Centos
4.2. The first sign of any trouble was the system hung on boot, at the
"Starting Nagios" message. After booting in interactive mode and NOT
starting nagios, the system came up fine. Tried to start nagios with the
init script and it gave me a message like:
Your default context is user_u:system_r:unconfined_t.

Do you want to choose a different one? [n]

Accepting the default allowed nagios to start. After digging into the init
script, I discovered that the only problem was the use of su to touch the
various log files. The line looks like:
su -l $Nagios -c "touch $NagiosVar/nagios.log $NagiosSav"
and changing it to use sudo instead, fixed the problem. The sudo line looks
like this:
sudo -u $Nagios "touch $NagiosVar/nagios.log $NagiosSav"

Now the system boots fine. The main reason for this (wild guess) is that su
does not change the security context of the user invoking it to that of the
user it is trying to be, but sudo does. The message is saying "well, you
want to be the nagios user, but your security context is root's, care to
change to something more apropriate?" WIth sudo, it all just changes. I am
guessing (once again, wildly) that this is due to tighter context checking
in this newer version of selinux.

I thought I would let everyone now as I have not seen any messages like this
so far on the list (or may have skimmed over them if they were not clearly
referring to this problem). If someone could explain in more detail why this
occurred I would be interested.

BTW, is there any work being done on a SELinux security context for nagios,
other than the web stuff hamideh daliri posted a while ago? It would seem
like a good idea given the criticality of nagios in a network. Not that I
have seen any reports of expoits to nagios, nsca or nrpe, but it would be
nice tomake sure it plays well with the other children ;)

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20051020/6fb88bff/attachment.html>

Previous message: About Nagios 2.0
Next message: Problem with download of nrpe for Solaris 8 and 9
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list