Page 4 of 4
Re: Auto-discovery error: "XML was not valid"
Posted: Fri Apr 07, 2017 11:18 am
by lmiltchev
The way I see it this is a bug, not a feature request or enhancement. I know Nagios XI is not officially supported running under SELinux, but even in permissive mode, the .xml file is created with the ownersjip of root:root and permissions 640, which is too restrictive for the system to work with.
We are not able to recreate this issue in house. When SELinux is in permissive mode, the permissions on the .xml file are set to 644. We tested this in CentOS/RHEL 6 & 7.
Code: Select all
[root@TEST_XI_CentOS_6 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
[root@TEST_XI_CentOS_6 ~]# ll /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/
total 176
-rw-r--r--. 1 apache apache 134419 Apr 7 10:53 32Rhe7.out
-rw-r--r--. 1 apache apache 0 Apr 7 10:51 32Rhe7.watch
-rw-r--r--. 1 root root 44264 Apr 7 10:53 32Rhe7.xml
[root@TEST_XI_RHEL_6 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
[root@TEST_XI_RHEL_6 ~]# ll /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/
total 12
-rw-r--r--. 1 apache apache 4160 Apr 7 11:04 YRQ9PE.out
-rw-r--r--. 1 apache apache 0 Apr 7 11:04 YRQ9PE.watch
-rw-r--r--. 1 root root 1241 Apr 7 11:04 YRQ9PE.xml
[root@TEST_XI_CentOS_7 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[root@TEST_XI_CentOS_7 ~]# ll /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/
total 176
-rw-r--r--. 1 apache apache 132952 Apr 7 11:04 jjDYIc.out
-rw-r--r--. 1 apache apache 0 Apr 7 10:58 jjDYIc.watch
-rw-r--r--. 1 root root 42474 Apr 7 11:04 jjDYIc.xml
[root@TEST_XI_RHEL_7 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[root@TEST_XI_RHEL_7 ~]# ll /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/
total 12
-rw-r--r--. 1 apache apache 5413 Apr 7 11:06 3pcrIk.out
-rw-r--r--. 1 apache apache 0 Apr 7 11:06 3pcrIk.watch
-rw-r--r--. 1 root root 1728 Apr 7 11:06 3pcrIk.xml
Regardless of the fact that the owner/group is "root", there are no issues with running the "Auto-Discovery" wizard.
Having said that, I will try to lab this one more time on Nagios XI 5.2.9 (I tested this on latest).
You said you were using the Auto-discovery wizard 1.4.0. What is the version of the "Auto-Discovery" component that you are currently using (Admin->Manage Components)?
Re: Auto-discovery error: "XML was not valid"
Posted: Fri Apr 07, 2017 11:35 am
by lmiltchev
Update: I tested running the Auto-Discovery wizard on Nagios XI 5.2.9 with SELinux in "permissive" mode, Auto-Discovery wizard ver. 1.4.0, and Auto-Discovery component ver. 2.2.3.
The scan finished successfully. I don't see any errors in the web UI, and the permissions of the .xml file are set to 644.
Code: Select all
[root@TEST_XI_RHEL_6 ~]# uname -a
Linux TEST_XI_RHEL_6 2.6.32-642.11.1.el6.x86_64 #1 SMP Wed Oct 26 10:25:23 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@TEST_XI_RHEL_6 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.8 (Santiago)
[root@TEST_XI_RHEL_6 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
[root@TEST_XI_RHEL_6 ~]# ll /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/
total 12
-rw-r--r--. 1 apache apache 4970 Apr 7 11:24 bv8hki.out
-rw-r--r--. 1 apache apache 0 Apr 7 11:24 bv8hki.watch
-rw-r--r--. 1 root root 1603 Apr 7 11:24 bv8hki.xml
Re: Auto-discovery error: "XML was not valid"
Posted: Mon Apr 10, 2017 5:54 am
by mvndnburg
lmiltchev wrote:You said you were using the Auto-discovery wizard 1.4.0. What is the version of the "Auto-Discovery" component that you are currently using (Admin->Manage Components)?
The Auto-Discovery component has version 2.2.4.
Re: Auto-discovery error: "XML was not valid"
Posted: Mon Apr 10, 2017 6:41 am
by mvndnburg
lmiltchev wrote:Update: I tested running the Auto-Discovery wizard on Nagios XI 5.2.9 with SELinux in "permissive" mode, Auto-Discovery wizard ver. 1.4.0, and Auto-Discovery component ver. 2.2.3.
The scan finished successfully. I don't see any errors in the web UI, and the permissions of the .xml file are set to 644.
Thanks for diving into this again
We cannot run in 'permissive' mode - we have to run in 'enforcing' mode.
When I set the
httpd_sys_rw_content_t context on the
jobs directory, the three files
are generated. This is a step in the right direction because context changes we are allowed to make.
However, the permissions on the XML file are still 640,
root.root.
Is there something I can do so that the file is created with the permissions 644?
Can you tell me - what's the setting of
umask on your host?
Re: Auto-discovery error: "XML was not valid"
Posted: Mon Apr 10, 2017 11:38 am
by lmiltchev
Can you tell me - what's the setting of umask on your host?
Running Nagios XI under SELinux in "enforcing" mode is NOT supported. If you wish to go this route, make sure you try it in the test environment first, before implementing the changes in production. Each Nagios XI license is approved for up to three installations: one primary monitoring/production, one backup/failover, and one test environment.
FYI, in the next release of Nagios XI the ownership of the xml files will be changed to
nagios:nagios. This *may* help.
Re: Auto-discovery error: "XML was not valid"
Posted: Tue Apr 11, 2017 7:06 am
by mvndnburg
Running Nagios XI under SELinux in "enforcing" mode is NOT supported.
I'm aware of that. We're a financial institution though, and we need to go the extra mile to close things up. It's a pain, configuring Nagios to run with SElinux in enforcing mode, but we're getting there. We run both the test and the production environment in enforcing mode.
Our umask setting is 0077 - new files are created with permissions 600. That'll be cause the permission issue on the xml file, then.
I'm glad to read that the ownership will be changed to non-root with the next release. Perhaps this will solve the issue
Re: Auto-discovery error: "XML was not valid"
Posted: Tue Apr 11, 2017 12:56 pm
by cdienger
Was there anything else we can help with regarding this thread or is it safe to close?
Re: Auto-discovery error: "XML was not valid"
Posted: Wed Apr 12, 2017 2:43 am
by mvndnburg
I think the thread can be closed.
I keep the action item on my side, re-evaluating when the next release comes out.