SELinux issue with nagios after upgrade to Centos 4.2
Sam Hooker
sth at noiseplant.com
Mon Aug 28 19:33:43 CEST 2006
Hi there,
(I don't know if this'll get packed into the correct thread, but I tried.
It's in response to John Stevens' post bearing the same subject line from
10/20/2005.)
Thanks for posting this, John: we've been experiencing the same issue
using Dag's RPMs (which are generally excellent). The one thing I'd add is
that, under CentOS 4.2 and 4.3, I got syntax errors from the recommended
fix. (The quoting was what got me.) What worked in the end was to simply
ditch the double-quotes:
sudo -u $Nagios touch $NagiosVar/nagios.log $NagiosSav
Cheers,
-sth
sam hooker|sth at noiseplant.com|http://www.noiseplant.com
tail -f /var/llog/llama
> Hi All,
> Just in case this affects others on the list, I thought I would drop a
line.
> I have a Centos 4 system running Nagios 1.3 as installed from the dag
> repository rpm. It has been working fine for a long time now (since I
sorted
> out some typos in the config:( ). Last week I upgraded to the latest
Centos
> 4.2. The first sign of any trouble was the system hung on boot, at the
> "Starting Nagios" message. After booting in interactive mode and NOT
> starting nagios, the system came up fine. Tried to start nagios with the
> init script and it gave me a message like:
> Your default context is user_u:system_r:unconfined_t.
>
> Do you want to choose a different one? [n]
>
> Accepting the default allowed nagios to start. After digging into the
init
> script, I discovered that the only problem was the use of su to touch
the
> various log files. The line looks like:
> su -l $Nagios -c "touch $NagiosVar/nagios.log $NagiosSav"
> and changing it to use sudo instead, fixed the problem. The sudo line
looks
> like this:
> sudo -u $Nagios "touch $NagiosVar/nagios.log $NagiosSav"
>
> Now the system boots fine. The main reason for this (wild guess) is that
su
> does not change the security context of the user invoking it to that of
the
> user it is trying to be, but sudo does. The message is saying "well, you
> want to be the nagios user, but your security context is root's, care to
> change to something more apropriate?" WIth sudo, it all just changes. I
am
> guessing (once again, wildly) that this is due to tighter context
checking
> in this newer version of selinux.
>
> I thought I would let everyone now as I have not seen any messages like
this
> so far on the list (or may have skimmed over them if they were not
clearly
> referring to this problem). If someone could explain in more detail why
this
> occurred I would be interested.
>
> BTW, is there any work being done on a SELinux security context for
nagios,
> other than the web stuff hamideh daliri posted a while ago? It would
seem
> like a good idea given the criticality of nagios in a network. Not that
I
> have seen any reports of expoits to nagios, nsca or nrpe, but it would
be
> nice tomake sure it plays well with the other children ;)
>
> Regards
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list