Nagios + selinux

Hi lists

it seems the rpmforge nagios package does not work out of
the box if
selinux is turned on. A log from someone complaining about
it (the
nagios cgis) not working:

---
[Thu Mar 01 15:58:30 2007] [notice] suEXEC mechanism
enabled
(wrapper: /usr/sbin/suexec)
[Thu Mar 01 15:58:30 2007] [notice] Digest: generating
secret for digest authentication ...
[Thu Mar 01 15:58:30 2007] [notice] Digest: done
[Thu Mar 01 15:58:30 2007] [notice] LDAP: Built with
OpenLDAP LDAP SDK
[Thu Mar 01 15:58:30 2007] [notice] LDAP: SSL support
unavailable
[Thu Mar 01 15:58:30 2007] [notice] mod_python: Creating 4
session mutexes based on 256 max processes and 0 max
threads.
[Thu Mar 01 15:58:30 2007] [notice] Apache/2.0.52 (CentOS)
configured -- resuming normal operations
[Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1]
(13)Permission denied: exec of
'/usr/lib/nagios/cgi/status.cgi' failed, referer: http://127.0.0.1/na
gios/side.html
[Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1]
Premature end of script headers: status.cgi, referer: http://127.0.0.1/na
gios/side.html
[Thu Mar 01 15:58:39 2007] [error] [client 127.0.0.1]
(13)Permission denied: exec of '/usr/lib/nagios/cgi/tac.cgi'
failed, referer: http://127.0.0.1/na
gios/side.html
---

I would like to make proper rules for this rpm but i have
absolutely no clue about selinux and policies. Any hints
what to read, where to start?

Chris

-- 
financial.com AG            Tel. +49 (0) 89 / 31 85 28 - 44
Maria-Probst-Strasse 19     Fax. +49 (0) 89 / 31 85 28 - 28
D-80939 München             http://www.financial.com/


_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mar 1, 2007, at 3:47 AM, Christoph Maser wrote:

> Hi lists
>
> it seems the rpmforge nagios package does not work out
of the box if
> selinux is turned on. A log from someone complaining
about it (the
> nagios cgis) not working:
>
> ---
> [Thu Mar 01 15:58:30 2007] [notice] suEXEC mechanism
enabled
> (wrapper: /usr/sbin/suexec)
> [Thu Mar 01 15:58:30 2007] [notice] Digest: generating
secret for  
> digest authentication ...
> [Thu Mar 01 15:58:30 2007] [notice] Digest: done
> [Thu Mar 01 15:58:30 2007] [notice] LDAP: Built with
OpenLDAP LDAP SDK
> [Thu Mar 01 15:58:30 2007] [notice] LDAP: SSL support
unavailable
> [Thu Mar 01 15:58:30 2007] [notice] mod_python:
Creating 4 session  
> mutexes based on 256 max processes and 0 max threads.
> [Thu Mar 01 15:58:30 2007] [notice] Apache/2.0.52
(CentOS)  
> configured -- resuming normal operations
> [Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1]
(13) 
> Permission denied: exec of
'/usr/lib/nagios/cgi/status.cgi' failed,  
> referer: http://127.0.0.1/na
gios/side.html
> [Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1]
Premature end  
> of script headers: status.cgi, referer: http://127.0.0.1/nagios/

> side.html
> [Thu Mar 01 15:58:39 2007] [error] [client 127.0.0.1]
(13) 
> Permission denied: exec of
'/usr/lib/nagios/cgi/tac.cgi' failed,  
> referer: http://127.0.0.1/na
gios/side.html
> ---
>
> I would like to make proper rules for this rpm but i
have  
> absolutely no clue about selinux and policies. Any
hints what to  
> read, where to start?
>
> Chris
>

I've found this helpful:
http://fedorapr
oject.org/wiki/SELinux

- -Jeff

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFF5rBVKe7MLJjUbNMRAhHPAJ4ieYMEbtZNWaNBPe0ZwKmvqA+P1ACf
Xk/R
PGa90+HMekMxcPt2873MkEQ=
=W+gO
-----END PGP SIGNATURE-----
_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel

On Thu, 1 Mar 2007 at 6:52am, Jeff Sheltren wrote

> On Mar 1, 2007, at 3:47 AM, Christoph Maser wrote:

>> I would like to make proper rules for this rpm but
i have absolutely no 
>> clue about selinux and policies. Any hints what to
read, where to start?
>> 
>
> I've found this helpful:
> http://fedorapr
oject.org/wiki/SELinux
>
And here's a recipe for making ganglia work with selinux
that can easily 
be adapted to other packages:

http://sourceforge.net/mailarchive/message.php?msg
_id=10659480

-- 
Joshua Baker-LePain
Department of Biomedical Engineering
Duke University
_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel

On 3/1/07, Christoph Maser <cmrfinancial.com> wrote:
> it seems the rpmforge nagios package does not work out
of the box if
> selinux is turned on. A log from someone complaining
about it (the
> nagios cgis) not working:
>

The nagios mailing list  archive has some rulesets for
selinux that
you can use, but depending on what you're monitoring, you
have to open
up a fair amount of stuff.


-- 
During times of universal deceit, telling the truth becomes
a revolutionary act.
George Orwell
_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel

Am Donnerstag, den 01.03.2007, 08:24 -0500 schrieb Jim
Perrin:
> The nagios mailing list  archive has some rulesets for
selinux that
> you can use, but depending on what you're monitoring,
you have to open
> up a fair amount of stuff.
> 
> 

Thanks for that and all the other answers. So far i think
only the cgis
won't run with selinux enabled but i will do a complete test
with some
simple checks. Another question is there anything special
one should
consider when distributing selinux rules inside a rpm?

Chris
-- 
financial.com AG            Tel. +49 (0) 89 / 31 85 28 - 44
Maria-Probst-Strasse 19     Fax. +49 (0) 89 / 31 85 28 - 28
D-80939 München             http://www.financial.com/


_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel

On Thu, 1 Mar 2007, Christoph Maser wrote:

> it seems the rpmforge nagios package does not work out
of the box if
> selinux is turned on. A log from someone complaining
about it (the
> nagios cgis) not working:
> 
> ---
> [Thu Mar 01 15:58:30 2007] [notice] suEXEC mechanism
enabled
> (wrapper: /usr/sbin/suexec)
> [Thu Mar 01 15:58:30 2007] [notice] Digest: generating
secret for digest authentication ...
> [Thu Mar 01 15:58:30 2007] [notice] Digest: done
> [Thu Mar 01 15:58:30 2007] [notice] LDAP: Built with
OpenLDAP LDAP SDK
> [Thu Mar 01 15:58:30 2007] [notice] LDAP: SSL support
unavailable
> [Thu Mar 01 15:58:30 2007] [notice] mod_python:
Creating 4 session mutexes based on 256 max processes and 0
max threads.
> [Thu Mar 01 15:58:30 2007] [notice] Apache/2.0.52
(CentOS) configured -- resuming normal operations
> [Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1]
(13)Permission denied: exec of
'/usr/lib/nagios/cgi/status.cgi' failed, referer: http://127.0.0.1/na
gios/side.html
> [Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1]
Premature end of script headers: status.cgi, referer: http://127.0.0.1/na
gios/side.html
> [Thu Mar 01 15:58:39 2007] [error] [client 127.0.0.1]
(13)Permission denied: exec of '/usr/lib/nagios/cgi/tac.cgi'
failed, referer: http://127.0.0.1/na
gios/side.html
> ---
> 
> I would like to make proper rules for this rpm but i
have absolutely no 
> clue about selinux and policies. Any hints what to
read, where to start?

Yes, selinux is pretty complicated and I have no good
experience of it 
myself. I always but it to permissive. I would love to add
selinux 
capabilities to my packages, though I don't know how I can
help you with 
it.

Please let me know if you have learned more and tell me what
specific 
changes are required.

Thanks in advance !
--   dag wieers,  dagwieers.com,  http://dag.wieers.com/  
--
[all I want is a warm bed and a kind word and unlimited
power]
_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel