SELinux blocking nagios' cgis on FC5
Miguel Fernandes
esmiguelfc at gmail.com
Fri Jun 23 16:51:17 CEST 2006
Hi Chris, Jim, I've received the following response from the selinux
maillist:
There is no longer a selinux-policy-<targeted/strict/mls>-sources RPM
> available in FC5. All Policies are build from a selinux-policy.srpm
> package, which contains all of the policy source files.
>
> Happy Day.
> Thorsten
>
Apparently the sources are not available in FC5. The context of the files
is the one you wrote: httpd_sys_script_exec_t, in the cgis and also on the
configuration files. The cgis are executed, but aren't able to read the
objects configuration. I'm appending the list of the directories requested
and a part of the syslog related to AVC. Thanks in advance!
MFC
[root at localhost nagios]# ls --context /usr/lib/nagios/cgi-bin/
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t avail.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cmd.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t config.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> extinfo.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> histogram.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> history.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> notifications.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> outages.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> showlog.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t status.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> statusmap.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> statuswml.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> statuswrl.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> summary.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t tac.cgi
> -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t trends.cgi
>
[root at localhost nagios]# ls --context
> -rw-rw-r-- root root system_u:object_r:httpd_sys_script_exec_t
> bigger.cfg-sample
> -rw-r--r-- root root system_u:object_r:httpd_sys_script_exec_t cgi.cfg
> -rw-rw-r-- root root system_u:object_r:httpd_sys_script_exec_t
> cgi.cfg-sample
> -rw-r--r-- root root system_u:object_r:httpd_sys_script_exec_t
> checkcommands.cfg
> -rw-rw-r-- root root system_u:object_r:httpd_sys_script_exec_t
> checkcommands.cfg-sample
> -rw-r--r-- root root system_u:object_r:httpd_sys_script_exec_t
> contactgroups.cfg
> -rw-r--r-- root root system_u:object_r:httpd_sys_script_exec_t
> contacts.cfg
> -rw-r--r-- root root system_u:object_r:httpd_sys_script_exec_t
> hostgroups.cfg
> -rw-r--r-- root root system_u:object_r:httpd_sys_script_exec_t hosts.cfg
> -rw-r--r-- root root system_u:object_r:httpd_sys_script_exec_t
> htpasswd.users
> -rw-rw-r-- root root system_u:object_r:httpd_sys_script_exec_t
> minimal.cfg-sample
> -rw-r--r-- root root system_u:object_r:httpd_sys_script_exec_t
> misccommands.cfg
> -rw-rw-r-- root root system_u:object_r:httpd_sys_script_exec_t
> misccommands.cfg-sample
> -rw-r--r-- root root system_u:object_r:httpd_sys_script_exec_t nagios.cfg
> -rw-rw-r-- root root system_u:object_r:httpd_sys_script_exec_t
> nagios.cfg-sample
> drwxr-x--- root root system_u:object_r:httpd_sys_script_exec_t private
> -rw-r--r-- root root system_u:object_r:httpd_sys_script_exec_t
> services.cfg
> -rw-r--r-- root root system_u:object_r:httpd_sys_script_exec_t
> timeperiods.cfg
> [root at localhost nagios]# ls --context private/
> -rw-r----- root root system_u:object_r:httpd_sys_script_exec_t
> resource.cfg
> -rw-r----- root root system_u:object_r:httpd_sys_script_exec_t
> resource.cfg-sample
audit(1151073510.912:1650): avc: denied { read } for pid=7942 comm="
> status.cgi" name="objects.cache" dev=dm-0 ino=98630
> scontext=root:system_r:httpd_sys_script_t:s0
> tcontext=root:object_r:var_log_t:s0 tclass=file
> audit(1151073601.054:1651): avc: denied { read } for pid=7999 comm="
> status.cgi" name="objects.cache" dev=dm-0 ino=98630
> scontext=root:system_r:httpd_sys_script_t:s0
> tcontext=root:object_r:var_log_t:s0 tclass=file
> audit(1151073696.660:1652): avc: denied { read } for pid=8037 comm="
> status.cgi" name="objects.cache" dev=dm-0 ino=98630
> scontext=root:system_r:httpd_sys_script_t:s0
> tcontext=root:object_r:var_log_t:s0 tclass=file
> audit(1151073787.393:1653): avc: denied { read } for pid=8067 comm="
> status.cgi" name="objects.cache" dev=dm-0 ino=98630
> scontext=root:system_r:httpd_sys_script_t:s0
> tcontext=root:object_r:var_log_t:s0 tclass=file
> audit(1151073877.523:1654): avc: denied { read } for pid=8108 comm="
> status.cgi" name="objects.cache" dev=dm-0 ino=98630
> scontext=root:system_r:httpd_sys_script_t:s0
> tcontext=root:object_r:var_log_t:s0 tclass=file
> audit(1151073967.653:1655): avc: denied { read } for pid=8203 comm="
> status.cgi" name="objects.cache" dev=dm-0 ino=98630
> scontext=root:system_r:httpd_sys_script_t:s0
> tcontext=root:object_r:var_log_t:s0 tclass=file
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20060623/c64f91f6/attachment.html>
-------------- next part --------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list