Auto-discovery error: "XML was not valid"

[lmiltchev]

The way I see it this is a bug, not a feature request or enhancement. I know Nagios XI is not officially supported running under SELinux, but even in permissive mode, the .xml file is created with the ownersjip of root:root and permissions 640, which is too restrictive for the system to work with.

We are not able to recreate this issue in house. When SELinux is in permissive mode, the permissions on the .xml file are set to 644. We tested this in CentOS/RHEL 6 & 7.

Code: Select all

[root@TEST_XI_CentOS_6 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted
[root@TEST_XI_CentOS_6 ~]# ll /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/
total 176
-rw-r--r--. 1 apache apache 134419 Apr  7 10:53 32Rhe7.out
-rw-r--r--. 1 apache apache      0 Apr  7 10:51 32Rhe7.watch
-rw-r--r--. 1 root   root    44264 Apr  7 10:53 32Rhe7.xml

[root@TEST_XI_RHEL_6 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted
[root@TEST_XI_RHEL_6 ~]# ll /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/
total 12
-rw-r--r--. 1 apache apache 4160 Apr  7 11:04 YRQ9PE.out
-rw-r--r--. 1 apache apache    0 Apr  7 11:04 YRQ9PE.watch
-rw-r--r--. 1 root   root   1241 Apr  7 11:04 YRQ9PE.xml

[root@TEST_XI_CentOS_7 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@TEST_XI_CentOS_7 ~]# ll /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/
total 176
-rw-r--r--. 1 apache apache 132952 Apr  7 11:04 jjDYIc.out
-rw-r--r--. 1 apache apache      0 Apr  7 10:58 jjDYIc.watch
-rw-r--r--. 1 root   root    42474 Apr  7 11:04 jjDYIc.xml

[root@TEST_XI_RHEL_7 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@TEST_XI_RHEL_7 ~]# ll /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/
total 12
-rw-r--r--. 1 apache apache 5413 Apr  7 11:06 3pcrIk.out
-rw-r--r--. 1 apache apache    0 Apr  7 11:06 3pcrIk.watch
-rw-r--r--. 1 root   root   1728 Apr  7 11:06 3pcrIk.xml

Regardless of the fact that the owner/group is "root", there are no issues with running the "Auto-Discovery" wizard.

Having said that, I will try to lab this one more time on Nagios XI 5.2.9 (I tested this on latest).

You said you were using the Auto-discovery wizard 1.4.0. What is the version of the "Auto-Discovery" component that you are currently using (Admin->Manage Components)?

[lmiltchev]

Update: I tested running the Auto-Discovery wizard on Nagios XI 5.2.9 with SELinux in "permissive" mode, Auto-Discovery wizard ver. 1.4.0, and Auto-Discovery component ver. 2.2.3.

The scan finished successfully. I don't see any errors in the web UI, and the permissions of the .xml file are set to 644.

Code: Select all

[root@TEST_XI_RHEL_6 ~]# uname -a
Linux TEST_XI_RHEL_6 2.6.32-642.11.1.el6.x86_64 #1 SMP Wed Oct 26 10:25:23 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@TEST_XI_RHEL_6 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.8 (Santiago)

[root@TEST_XI_RHEL_6 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

[root@TEST_XI_RHEL_6 ~]# ll /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/
total 12
-rw-r--r--. 1 apache apache 4970 Apr  7 11:24 bv8hki.out
-rw-r--r--. 1 apache apache    0 Apr  7 11:24 bv8hki.watch
-rw-r--r--. 1 root   root   1603 Apr  7 11:24 bv8hki.xml

[mvndnburg]

You said you were using the Auto-discovery wizard 1.4.0. What is the version of the "Auto-Discovery" component that you are currently using (Admin->Manage Components)?

The Auto-Discovery component has version 2.2.4.

[mvndnburg]

Update: I tested running the Auto-Discovery wizard on Nagios XI 5.2.9 with SELinux in "permissive" mode, Auto-Discovery wizard ver. 1.4.0, and Auto-Discovery component ver. 2.2.3.

The scan finished successfully. I don't see any errors in the web UI, and the permissions of the .xml file are set to 644.

Thanks for diving into this again

We cannot run in 'permissive' mode - we have to run in 'enforcing' mode.

When I set the httpd_sys_rw_content_t context on the jobs directory, the three files are generated. This is a step in the right direction because context changes we are allowed to make.

However, the permissions on the XML file are still 640, root.root.

Is there something I can do so that the file is created with the permissions 644?
Can you tell me - what's the setting of umask on your host?

[lmiltchev]

Can you tell me - what's the setting of umask on your host?

Code: Select all

# umask
0022

Running Nagios XI under SELinux in "enforcing" mode is NOT supported. If you wish to go this route, make sure you try it in the test environment first, before implementing the changes in production. Each Nagios XI license is approved for up to three installations: one primary monitoring/production, one backup/failover, and one test environment.

FYI, in the next release of Nagios XI the ownership of the xml files will be changed to nagios:nagios. This *may* help.

[mvndnburg]

Running Nagios XI under SELinux in "enforcing" mode is NOT supported.

I'm aware of that. We're a financial institution though, and we need to go the extra mile to close things up. It's a pain, configuring Nagios to run with SElinux in enforcing mode, but we're getting there. We run both the test and the production environment in enforcing mode.

Our umask setting is 0077 - new files are created with permissions 600. That'll be cause the permission issue on the xml file, then.

I'm glad to read that the ownership will be changed to non-root with the next release. Perhaps this will solve the issue

[cdienger]

Was there anything else we can help with regarding this thread or is it safe to close?

[mvndnburg]

I think the thread can be closed.
I keep the action item on my side, re-evaluating when the next release comes out.