Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1291734
Summary: | nagios 4.0.8 fails to start with a "permission denied" error if SELinux is enabled | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Lenz Grimmer <lenz> |
Component: | nagios | Assignee: | Scott Wilkerson <swilkerson> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | epel7 | CC: | affix, cfeller, jose.p.oliveira.oss, lemenkov, linux, mfischer, nb, ondrejj, pmonfette, shawn.starr, s, stephen, swilkerson, tibbsbrookside, vdanek, wfoster |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nagios-4.0.8-2.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-01-21 04:39:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lenz Grimmer
2015-12-15 14:03:46 UTC
This policy file is more complete (assuming the built-in default socket file location): module nagios-socket 1.0; require { type nagios_t; type nagios_log_t; class sock_file { write create unlink }; } #============= nagios_t ============== #!!!! This avc is allowed in the current policy allow nagios_t nagios_log_t:sock_file create; allow nagios_t nagios_log_t:sock_file { write unlink }; Hello, This was not enough for me in order to get Nagios fully working. I had to create the rw folder and give it the right permissions because of this error: Dec 21 04:43:19 dpdell nagios: qh: Failed to init socket '/var/log/nagios/rw/nagios.qh'. bind() failed: No such file or directory Folder and selinux perms: # sudo -u nagios mkdir /var/log/nagios/rw/ # chcon system_u:object_r:nagios_log_t:s0 rw Then I got all the below errors on start and restart (unable to connect to socket and also unable to unlink): Dec 21 05:07:14 dpdell nagios: Failed to connect to query socket '/var/log/nagios/rw/nagios.qh': connect() failed: Permission denied Dec 21 05:07:40 dpdell nagios: qh: Failed to init socket '/var/log/nagios/rw/nagios.qh'. unlink() failed: Permission denied So I ended up having this in order to fix it: module nagios-socket 1.0; require { type nagios_t; type nagios_log_t; class sock_file { write create unlink }; class unix_stream_socket connectto; } #============= nagios_t ============== #!!!! This avc is allowed in the current policy allow nagios_t nagios_log_t:sock_file { write create unlink }; #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow nagios_t self:unix_stream_socket connectto; The previous post's policy file worked for me. nagios-4.0.8-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-eed09b5974 nagios-4.0.8-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-eed09b5974 nagios-4.0.8-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. This still occurs as of 2016-07-04, further the /var/log/nagios/rw/nagios.qh file does not cleanup after itself on daemon restart. Details: -------- CentOS or RHEL 7.2 selinux-policy-3.13.1-60.el7_2.7.noarch selinux-policy-targeted-3.13.1-60.el7_2.7.noarch nagios-4.0.8-2.el7.x86_64 == Workaround == 1) to fix the SELinux settings I applied the following to: /var/log/nagios/rw/nagios.qh seuser = system_u user = nagios group = nagios mode = 0777 This was done via: https://github.com/sadsfae/ansible-nagios/blob/master/install/roles/nagios/tasks/main.yml#L102 2) to fix the daemon restart issue I modified the Nagios systemd unit file to append removing /var/log/nagios/rw/nagios.qh on ExecStopPost. I accomplished this again via Ansible here: https://github.com/sadsfae/ansible-nagios/blob/master/install/roles/nagios/tasks/main.yml#L112 Here's what he modified version looks like: File: /usr/lib/systemd/system/nagios.service --snip-- [Unit] Description=Nagios Network Monitoring After=network.target Documentation=https://www.nagios.org/documentation/ [Service] Type=forking User=nagios Group=nagios PIDFile=/var/run/nagios/nagios.pid # Verify Nagios config before start as upstream suggested ExecStartPre=/usr/sbin/nagios -v /etc/nagios/nagios.cfg ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg ExecStopPost=/usr/bin/rm -f /var/spool/nagios/cmd/nagios.cmd /var/log/nagios/rw/nagios.qh [Install] WantedBy=multi-user.target --snip-- |