Changing context of CGI files for SELinux

[ALTAES]

I currently have Nagios 4.3.4 successfully running on the server (it has a PID),
but I get a Whoops error on the web interface
It's a packet installed version of nagios on a redhat 7

# nagios -v nagios.cfg :

Code: Select all

Nagios Core 4.3.4
Copyright (c) 2009-present Nagios Core Development Team and Community Contributors
Copyright (c) 1999-2009 Ethan Galstad
Last Modified: 2017-08-24
License: GPL

Website: https://www.nagios.org
Reading configuration data...
   Read main config file okay...
   Read object config files okay...

Running pre-flight check on configuration data...

Checking objects...
        Checked 445 services.
        Checked 117 hosts.
        Checked 24 host groups.
        Checked 0 service groups.
        Checked 1 contacts.
        Checked 4 contact groups.
        Checked 14 commands.
        Checked 6 time periods.
        Checked 0 host escalations.
        Checked 0 service escalations.
Checking for circular paths...
        Checked 117 hosts
        Checked 0 service dependencies
        Checked 0 host dependencies
        Checked 6 timeperiods
Checking global event handlers...
Checking obsessive compulsive processor commands...
Checking misc settings...

Total Warnings: 0
Total Errors:   0

Things look okay - No serious problems were detected during the pre-flight check

# systemctl restart nagios :

Code: Select all

[1522066961] LOG VERSION: 2.0
[1522066961] qh: Socket '/var/spool/nagios/cmd/nagios.qh' successfully initialized
[1522066961] qh: core query handler registered
[1522066961] nerd: Channel hostchecks registered successfully
[1522066961] nerd: Channel servicechecks registered successfully
[1522066961] nerd: Channel opathchecks registered successfully
[1522066961] nerd: Fully initialized and ready to rock!
[1522066961] wproc: Successfully registered manager as @wproc with query handler
[1522066961] wproc: Registry request: name=Core Worker 6832;pid=6832
[1522066961] wproc: Registry request: name=Core Worker 6834;pid=6834
[1522066961] wproc: Registry request: name=Core Worker 6831;pid=6831
[1522066961] wproc: Registry request: name=Core Worker 6833;pid=6833
[1522066961] Successfully launched command file worker with pid 6835

# more nagios.cfg :

Code: Select all

log_file=/var/log/nagios/nagios.logcfg_dir=/etc/nagios/hosts
cfg_dir=/etc/nagios/hostgroups
cfg_dir=/etc/nagios/services
cfg_dir=/etc/nagios/servicegroups
cfg_dir=/etc/nagios/contacts
cfg_dir=/etc/nagios/contactgroups
cfg_dir=/etc/nagios/timeperiods
cfg_dir=/etc/nagios/templates
cfg_dir=/etc/nagios/commands
object_cache_file=/var/spool/nagios/objects.cache
precached_object_file=/var/spool/nagios/objects.precache
resource_file=/etc/nagios/private/resource.cfg
status_file=/var/log/nagios/status.dat
status_update_interval=10
nagios_user=nagios
nagios_group=nagios
check_external_commands=1
command_file=/var/spool/nagios/cmd/nagios.cmd
lock_file=/var/run/nagios/nagios.pid
temp_file=/var/spool/nagios/nagios.tmp
temp_path=/tmp
event_broker_options=-1
log_rotation_method=d
log_archive_path=/var/log/nagios/archives
use_syslog=1
log_notifications=1
log_service_retries=1
log_host_retries=1
log_event_handlers=1
log_initial_states=0
log_current_states=1
log_external_commands=1
log_passive_checks=1
service_inter_check_delay_method=s
max_service_check_spread=30
service_interleave_factor=s
host_inter_check_delay_method=s
max_host_check_spread=30
max_concurrent_checks=0
check_result_reaper_frequency=10max_check_result_reaper_time=30check_result_path=/var/spool/nagios/checkresultsmax_check_result_file_age=3600cached_host_check_horizon=15
cached_service_check_horizon=15
enable_predictive_host_dependency_checks=1
enable_predictive_service_dependency_checks=1
soft_state_dependencies=0
auto_reschedule_checks=0
auto_rescheduling_interval=30
auto_rescheduling_window=180
service_check_timeout=60
host_check_timeout=30
event_handler_timeout=30
notification_timeout=30
ocsp_timeout=5
perfdata_timeout=5
retain_state_information=1
state_retention_file=/var/log/nagios/retention.dat
retention_update_interval=60
use_retained_program_state=1
use_retained_scheduling_info=1
retained_host_attribute_mask=0retained_service_attribute_mask=0retained_process_host_attribute_mask=0
retained_process_service_attribute_mask=0retained_contact_host_attribute_mask=0
retained_contact_service_attribute_mask=0
interval_length=60
check_for_updates=1
bare_update_check=0
use_aggressive_host_checking=0
execute_service_checks=1
accept_passive_service_checks=1
execute_host_checks=1
accept_passive_host_checks=1
enable_notifications=1
enable_event_handlers=1
process_performance_data=0obsess_over_services=0
obsess_over_hosts=0
translate_passive_host_checks=0
passive_host_checks_are_soft=0
check_for_orphaned_services=1
check_for_orphaned_hosts=1
check_service_freshness=1
service_freshness_check_interval=60
service_check_timeout_state=c
check_host_freshness=0
host_freshness_check_interval=60additional_freshness_latency=15enable_flap_detection=1
low_service_flap_threshold=5.0
high_service_flap_threshold=20.0
low_host_flap_threshold=5.0
high_host_flap_threshold=20.0
date_format=usillegal_object_name_chars=`~!$%^&*|'"<>?,()=
illegal_macro_output_chars=`~$&|'"<>
use_regexp_matching=0
use_true_regexp_matching=0
admin_email=nagios@localhost
admin_pager=pagenagios@localhost
daemon_dumps_core=0
use_large_installation_tweaks=0
enable_environment_macros=0
debug_level=0
debug_verbosity=1
debug_file=/var/log/nagios/nagios.debug
max_debug_file_size=1000000
allow_empty_hostgroup_assignment=0

Thank you.

[scottwilkerson]

make sure selinux is in permissive mode

https://support.nagios.com/forum/viewto ... 81#p213037

[ALTAES]

It was, indeed, my SELinux mode that was blocking the CGI.
I've set it on permissive, instead of enforcing. However, this just postpone the problem.
I'd like to have it on enforcing, and to have Nagios running at the same time, wich mean that I need to change the
context of the CGI file.

Here is the current ones :

Code: Select all

-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/archivejson.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/avail.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/cmd.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/config.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/extinfo.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/histogram.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/history.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/notifications.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/objectjson.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/outages.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/showlog.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/status.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/statusjson.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/statusmap.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/statuswml.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/statuswrl.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/summary.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/tac.cgi
-rwxrwxr-x. nagios nagios system_u:object_r:nagios_script_exec_t:s0 /usr/lib64/nagios/cgi-bin/trends.cgi

But when I try to change it, I got an error :

Code: Select all

# semanage fcontext -a -t httpd_sys_script_exec_t /usr/lib64/nagios/cgi-bin/

   ValueError: File spec /usr/lib64/nagios/cgi-bin/ conflicts with equivalency rule '/usr/lib64 /usr/lib'; Try adding '/usr/lib/nagios/cgi-bin/' instead.

[scottwilkerson]

I'm really not a great selinux configurer, but it looks like there is already a conflicting context set.

I'll leave the thread open so another user can chime in if they know how to resolve this.