Nagios Support Forum

Posted: **Thu Aug 09, 2012 11:01 pm**

I want to pass this along because I've seen a lot of people pulling their hair out over it and its not an easy one to find if you're not familiar with SELinux and context.

On a system with SELinux enabled you get a Permission Denied in the error_log:

Code: Select all

(13)Permission denied: exec of '/usr/local/nagios/sbin/tac.cgi'

This is caused, not by the file permissions - which people make themselves insane over - , but the SELinux context.

Files installed in /usr/local/nagios/sbin will have the default context like:

Code: Select all

(root@nm2srvp01:/)$ ls -Z /usr/local/nagios
drwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   bin
drwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   etc
drwxr-xr-x. root   root   unconfined_u:object_r:usr_t:s0   include
drwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   libexec
drwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   sbin
drwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   share
drwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   var

and

Code: Select all

(root@nm2srvp01:/)$ ls -Z /usr/local/nagios/sbin
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 avail.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 cmd.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 config.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 extinfo.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 histogram.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 history.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 notifications.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 outages.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 showlog.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 status.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 statusmap.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 statuswml.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 statuswrl.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 summary.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 tac.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 trends.cgi

which causes SELinux to block access. In order to make this work on a system with SELinux active, the directory and files need their context updated. This is done with chcon:

Code: Select all

(root@nm2srvp01:/)$ chcon -v --type=httpd_sys_content_t /usr/local/nagios/sbin
changing security context of `/usr/local/nagios/sbin'

Code: Select all

(root@nm2srvp01:/)$ chcon -v --type=httpd_sys_content_t /usr/local/nagios/sbin/*
changing security context of `/usr/local/nagios/sbin/avail.cgi'
changing security context of `/usr/local/nagios/sbin/cmd.cgi'
changing security context of `/usr/local/nagios/sbin/config.cgi'
changing security context of `/usr/local/nagios/sbin/extinfo.cgi'
changing security context of `/usr/local/nagios/sbin/histogram.cgi'
changing security context of `/usr/local/nagios/sbin/history.cgi'
changing security context of `/usr/local/nagios/sbin/notifications.cgi'
changing security context of `/usr/local/nagios/sbin/outages.cgi'
changing security context of `/usr/local/nagios/sbin/showlog.cgi'
changing security context of `/usr/local/nagios/sbin/status.cgi'
changing security context of `/usr/local/nagios/sbin/statusmap.cgi'
changing security context of `/usr/local/nagios/sbin/statuswml.cgi'
changing security context of `/usr/local/nagios/sbin/statuswrl.cgi'
changing security context of `/usr/local/nagios/sbin/summary.cgi'
changing security context of `/usr/local/nagios/sbin/tac.cgi'
changing security context of `/usr/local/nagios/sbin/trends.cgi'

Afterwards you should have:

Code: Select all

(root@nm2srvp01:/)$ ls -Z /usr/local/nagios
drwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   bin
drwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   etc
drwxr-xr-x. root   root   unconfined_u:object_r:usr_t:s0   include
drwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   libexec
drwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 sbin
drwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   share
drwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   var

Code: Select all

(root@nm2srvp01:/)$ ls -Z /usr/local/nagios/sbin
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 avail.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 cmd.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 config.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 extinfo.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 histogram.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 history.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 notifications.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 outages.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 showlog.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 status.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 statusmap.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 statuswml.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 statuswrl.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 summary.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 tac.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:httpd_sys_content_t:s0 trends.cgi

...and life should be good. Pass it along.

Posted: **Fri Aug 10, 2012 10:30 am**

Thanks for sharing!

Nagios Support Forum

Permission denied: exec of /usr/local/nagios/sbin/tac.cgi

Permission denied: exec of /usr/local/nagios/sbin/tac.cgi

Re: Permission denied: exec of /usr/local/nagios/sbin/tac.cg