Hi lists
it seems the rpmforge nagios package does not work out of the box if selinux is turned on. A log from someone complaining about it (the nagios cgis) not working:
--- [Thu Mar 01 15:58:30 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Mar 01 15:58:30 2007] [notice] Digest: generating secret for digest authentication ... [Thu Mar 01 15:58:30 2007] [notice] Digest: done [Thu Mar 01 15:58:30 2007] [notice] LDAP: Built with OpenLDAP LDAP SDK [Thu Mar 01 15:58:30 2007] [notice] LDAP: SSL support unavailable [Thu Mar 01 15:58:30 2007] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Thu Mar 01 15:58:30 2007] [notice] Apache/2.0.52 (CentOS) configured -- resuming normal operations [Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1] (13)Permission denied: exec of '/usr/lib/nagios/cgi/status.cgi' failed, referer: http://127.0.0.1/nagios/side.html [Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1] Premature end of script headers: status.cgi, referer: http://127.0.0.1/nagios/side.html [Thu Mar 01 15:58:39 2007] [error] [client 127.0.0.1] (13)Permission denied: exec of '/usr/lib/nagios/cgi/tac.cgi' failed, referer: http://127.0.0.1/nagios/side.html ---
I would like to make proper rules for this rpm but i have absolutely no clue about selinux and policies. Any hints what to read, where to start?
Chris
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mar 1, 2007, at 3:47 AM, Christoph Maser wrote:
Hi lists
it seems the rpmforge nagios package does not work out of the box if selinux is turned on. A log from someone complaining about it (the nagios cgis) not working:
[Thu Mar 01 15:58:30 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Mar 01 15:58:30 2007] [notice] Digest: generating secret for digest authentication ... [Thu Mar 01 15:58:30 2007] [notice] Digest: done [Thu Mar 01 15:58:30 2007] [notice] LDAP: Built with OpenLDAP LDAP SDK [Thu Mar 01 15:58:30 2007] [notice] LDAP: SSL support unavailable [Thu Mar 01 15:58:30 2007] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Thu Mar 01 15:58:30 2007] [notice] Apache/2.0.52 (CentOS) configured -- resuming normal operations [Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1] (13) Permission denied: exec of '/usr/lib/nagios/cgi/status.cgi' failed, referer: http://127.0.0.1/nagios/side.html [Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1] Premature end of script headers: status.cgi, referer: http://127.0.0.1/nagios/ side.html [Thu Mar 01 15:58:39 2007] [error] [client 127.0.0.1] (13) Permission denied: exec of '/usr/lib/nagios/cgi/tac.cgi' failed, referer: http://127.0.0.1/nagios/side.html
I would like to make proper rules for this rpm but i have absolutely no clue about selinux and policies. Any hints what to read, where to start?
Chris
I've found this helpful: http://fedoraproject.org/wiki/SELinux
- -Jeff
On Thu, 1 Mar 2007 at 6:52am, Jeff Sheltren wrote
On Mar 1, 2007, at 3:47 AM, Christoph Maser wrote:
I would like to make proper rules for this rpm but i have absolutely no clue about selinux and policies. Any hints what to read, where to start?
I've found this helpful: http://fedoraproject.org/wiki/SELinux
And here's a recipe for making ganglia work with selinux that can easily be adapted to other packages:
http://sourceforge.net/mailarchive/message.php?msg_id=10659480
On 3/1/07, Christoph Maser cmr@financial.com wrote:
it seems the rpmforge nagios package does not work out of the box if selinux is turned on. A log from someone complaining about it (the nagios cgis) not working:
The nagios mailing list archive has some rulesets for selinux that you can use, but depending on what you're monitoring, you have to open up a fair amount of stuff.
Am Donnerstag, den 01.03.2007, 08:24 -0500 schrieb Jim Perrin:
The nagios mailing list archive has some rulesets for selinux that you can use, but depending on what you're monitoring, you have to open up a fair amount of stuff.
Thanks for that and all the other answers. So far i think only the cgis won't run with selinux enabled but i will do a complete test with some simple checks. Another question is there anything special one should consider when distributing selinux rules inside a rpm?
Chris
Christoph Maser wrote:
Am Donnerstag, den 01.03.2007, 08:24 -0500 schrieb Jim Perrin:
The nagios mailing list archive has some rulesets for selinux that you can use, but depending on what you're monitoring, you have to open up a fair amount of stuff.
Thanks for that and all the other answers. So far i think only the cgis won't run with selinux enabled but i will do a complete test with some simple checks. Another question is there anything special one should consider when distributing selinux rules inside a rpm?
Chris
this conversation isnt centos-devel related, it needs to goto either the nagios lists or the rpmforge lists.
- KB
On Thu, 1 Mar 2007, Christoph Maser wrote:
it seems the rpmforge nagios package does not work out of the box if selinux is turned on. A log from someone complaining about it (the nagios cgis) not working:
[Thu Mar 01 15:58:30 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Mar 01 15:58:30 2007] [notice] Digest: generating secret for digest authentication ... [Thu Mar 01 15:58:30 2007] [notice] Digest: done [Thu Mar 01 15:58:30 2007] [notice] LDAP: Built with OpenLDAP LDAP SDK [Thu Mar 01 15:58:30 2007] [notice] LDAP: SSL support unavailable [Thu Mar 01 15:58:30 2007] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Thu Mar 01 15:58:30 2007] [notice] Apache/2.0.52 (CentOS) configured -- resuming normal operations [Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1] (13)Permission denied: exec of '/usr/lib/nagios/cgi/status.cgi' failed, referer: http://127.0.0.1/nagios/side.html [Thu Mar 01 15:58:38 2007] [error] [client 127.0.0.1] Premature end of script headers: status.cgi, referer: http://127.0.0.1/nagios/side.html [Thu Mar 01 15:58:39 2007] [error] [client 127.0.0.1] (13)Permission denied: exec of '/usr/lib/nagios/cgi/tac.cgi' failed, referer: http://127.0.0.1/nagios/side.html
I would like to make proper rules for this rpm but i have absolutely no clue about selinux and policies. Any hints what to read, where to start?
Yes, selinux is pretty complicated and I have no good experience of it myself. I always but it to permissive. I would love to add selinux capabilities to my packages, though I don't know how I can help you with it.
Please let me know if you have learned more and tell me what specific changes are required.
Thanks in advance ! -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [all I want is a warm bed and a kind word and unlimited power]