SELinux issue with nagios after upgrade to Centos 4.2

[Sam Hooker]

Hi there,

(I don't know if this'll get packed into the correct thread, but I tried. 
It's in response to John Stevens' post bearing the same subject line from 
10/20/2005.)

Thanks for posting this, John: we've been experiencing the same issue 
using Dag's RPMs (which are generally excellent). The one thing I'd add is 
that, under CentOS 4.2 and 4.3, I got syntax errors from the recommended 
fix. (The quoting was what got me.) What worked in the end was to simply 
ditch the double-quotes:

    sudo -u $Nagios touch $NagiosVar/nagios.log $NagiosSav

Cheers,

-sth

sam hooker|sth at noiseplant.com|http://www.noiseplant.com

	tail -f /var/llog/llama

> Hi All,
> Just in case this affects others on the list, I thought I would drop a 
line.
> I have a Centos 4 system running Nagios 1.3 as installed from the dag
> repository rpm. It has been working fine for a long time now (since I 
sorted
> out some typos in the config:( ). Last week I upgraded to the latest 
Centos
> 4.2. The first sign of any trouble was the system hung on boot, at the
> "Starting Nagios" message. After booting in interactive mode and NOT
> starting nagios, the system came up fine. Tried to start nagios with the
> init script and it gave me a message like:
> Your default context is user_u:system_r:unconfined_t.
> 
> Do you want to choose a different one? [n]
> 
> Accepting the default allowed nagios to start. After digging into the 
init
> script, I discovered that the only problem was the use of su to touch 
the
> various log files. The line looks like:
> su -l $Nagios -c "touch $NagiosVar/nagios.log $NagiosSav"
> and changing it to use sudo instead, fixed the problem. The sudo line 
looks
> like this:
> sudo -u $Nagios "touch $NagiosVar/nagios.log $NagiosSav"
> 
> Now the system boots fine. The main reason for this (wild guess) is that 
su
> does not change the security context of the user invoking it to that of 
the
> user it is trying to be, but sudo does. The message is saying "well, you
> want to be the nagios user, but your security context is root's, care to
> change to something more apropriate?" WIth sudo, it all just changes. I 
am
> guessing (once again, wildly) that this is due to tighter context 
checking
> in this newer version of selinux.
> 
> I thought I would let everyone now as I have not seen any messages like 
this
> so far on the list (or may have skimmed over them if they were not 
clearly
> referring to this problem). If someone could explain in more detail why 
this
> occurred I would be interested.
> 
> BTW, is there any work being done on a SELinux security context for 
nagios,
> other than the web stuff hamideh daliri posted a while ago? It would 
seem
> like a good idea given the criticality of nagios in a network. Not that 
I
> have seen any reports of expoits to nagios, nsca or nrpe, but it would 
be
> nice tomake sure it plays well with the other children ;)
> 
> Regards

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null