SELinux issue with nagios after upgrade to Centos 4.2

Ian imarks at comcast.net
Mon Aug 28 23:21:13 CEST 2006
Previous message: SELinux issue with nagios after upgrade to Centos 4.2
Next message: Richard Schneidermayer/ARZ/AT ist außer Haus.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
 From what I have seen posted in some forums and by Stephen Smalley, the 
correct way of to do transitions with "su" is by using the /sbin/runuser 
command.
Example of what I use.
 /sbin/runuser - $NagiosUser -c "touch $NagiosVarDir/nagios.log 
$NagiosRetentionFile"

Ian


Sam Hooker wrote:
> Hi there,
>
> (I don't know if this'll get packed into the correct thread, but I tried. 
> It's in response to John Stevens' post bearing the same subject line from 
> 10/20/2005.)
>
> Thanks for posting this, John: we've been experiencing the same issue 
> using Dag's RPMs (which are generally excellent). The one thing I'd add is 
> that, under CentOS 4.2 and 4.3, I got syntax errors from the recommended 
> fix. (The quoting was what got me.) What worked in the end was to simply 
> ditch the double-quotes:
>
>     sudo -u $Nagios touch $NagiosVar/nagios.log $NagiosSav
>
> Cheers,
>
> -sth
>
> sam hooker|sth at noiseplant.com|http://www.noiseplant.com
>
> 	tail -f /var/llog/llama
>
>   
>> Hi All,
>> Just in case this affects others on the list, I thought I would drop a 
>>     
> line.
>   
>> I have a Centos 4 system running Nagios 1.3 as installed from the dag
>> repository rpm. It has been working fine for a long time now (since I 
>>     
> sorted
>   
>> out some typos in the config:( ). Last week I upgraded to the latest 
>>     
> Centos
>   
>> 4.2. The first sign of any trouble was the system hung on boot, at the
>> "Starting Nagios" message. After booting in interactive mode and NOT
>> starting nagios, the system came up fine. Tried to start nagios with the
>> init script and it gave me a message like:
>> Your default context is user_u:system_r:unconfined_t.
>>
>> Do you want to choose a different one? [n]
>>
>> Accepting the default allowed nagios to start. After digging into the 
>>     
> init
>   
>> script, I discovered that the only problem was the use of su to touch 
>>     
> the
>   
>> various log files. The line looks like:
>> su -l $Nagios -c "touch $NagiosVar/nagios.log $NagiosSav"
>> and changing it to use sudo instead, fixed the problem. The sudo line 
>>     
> looks
>   
>> like this:
>> sudo -u $Nagios "touch $NagiosVar/nagios.log $NagiosSav"
>>
>> Now the system boots fine. The main reason for this (wild guess) is that 
>>     
> su
>   
>> does not change the security context of the user invoking it to that of 
>>     
> the
>   
>> user it is trying to be, but sudo does. The message is saying "well, you
>> want to be the nagios user, but your security context is root's, care to
>> change to something more apropriate?" WIth sudo, it all just changes. I 
>>     
> am
>   
>> guessing (once again, wildly) that this is due to tighter context 
>>     
> checking
>   
>> in this newer version of selinux.
>>
>> I thought I would let everyone now as I have not seen any messages like 
>>     
> this
>   
>> so far on the list (or may have skimmed over them if they were not 
>>     
> clearly
>   
>> referring to this problem). If someone could explain in more detail why 
>>     
> this
>   
>> occurred I would be interested.
>>
>> BTW, is there any work being done on a SELinux security context for 
>>     
> nagios,
>   
>> other than the web stuff hamideh daliri posted a while ago? It would 
>>     
> seem
>   
>> like a good idea given the criticality of nagios in a network. Not that 
>>     
> I
>   
>> have seen any reports of expoits to nagios, nsca or nrpe, but it would 
>>     
> be
>   
>> nice tomake sure it plays well with the other children ;)
>>
>> Regards
>>     
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
> ::: Messages without supporting info will risk being sent to /dev/null
>
>   

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: SELinux issue with nagios after upgrade to Centos 4.2
Next message: Richard Schneidermayer/ARZ/AT ist außer Haus.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list