selinux 阻止访问 nagios 配置

【问题标题】:selinux prevents nagios config from being accessedselinux 阻止访问 nagios 配置
【发布时间】:2017-05-11 21:21:58
【问题描述】:

我在 centos 7 下运行 nagios 4。禁用 SELinux 后一切正常。但是当我启用它时,我在界面中收到此错误:

Whoops!

Error: Could not open CGI config file '/etc/nagios/cgi.cfg' for reading!

Here are some things you should check in order to resolve this error:

Make sure you've installed a CGI config file in its proper location. See the error message about for details on where the CGI is expecting to find the configuration file. A sample CGI configuration file (named cgi.cfg) can be found in the sample-config/ subdirectory of the Nagios source code distribution.
Make sure the user your web server is running as has permission to read the CGI config file.
Make sure you read the documentation on installing and configuring Nagios thoroughly before continuing. If all else fails, try sending a message to one of the mailing lists. More information can be found at https://www.nagios.org.

我尝试检查 audit2why 以了解是否可以了解如何处理此问题:

我看到了这个输出:

type=AVC msg=audit(1444272414.200:15955): avc:  denied  { read } for  pid=9090 comm="status.cgi" name="cgi.cfg" dev="xvda1" ino=19230613 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nagios_etc_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

    type=AVC msg=audit(1444272474.545:15956): avc:  denied  { read } for  pid=9116 comm="status.cgi" name="cgi.cfg" dev="xvda1" ino=19230613 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nagios_etc_t:s0 tclass=file

            Was caused by:
                    Missing type enforcement (TE) allow rule.

                    You can use audit2allow to generate a loadable module to allow this access.

如果我检查 audit2allow,这就是我所看到的:

[root@monitor1:~] #grep nagios /var/log/audit/audit.log | audit2allow


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t nagios_etc_t:file { read getattr open };

#============= httpd_t ==============
allow httpd_t admin_home_t:file { write getattr open };
allow httpd_t etc_t:dir write;
allow httpd_t etc_t:file write;
allow httpd_t httpd_sys_rw_content_t:fifo_file getattr;
allow httpd_t usr_t:fifo_file { write getattr open };

但我对 SELinux 不是很了解。所以我希望我能得到一些关于如何解决这个问题的建议。

谢谢

【问题讨论】:

    标签: nagios selinux


    【解决方案1】:

    grep audit.log 用于单词 nagios 并使用 -M 标志将其通过管道传输到 audit2allow

    grep nagios /var/log/audit/audit.log | audit2allow -M nagios

    这应该创建 2 个文件:一个类型强制文件 nagios.te 和一个策略包文件 nagios.pp

    使用semodule命令加载策略包:

    semodule -i nagios.pp

    你已经完成了。

    来源:

    【讨论】:

    • 嘿!谢谢!我试了一下。 [root@monitor1:~] #grep nagios /var/log/audit/audit.log | audit2allow -M nagios ******************** 重要 *********************** 使此策略包激活,执行:semodule -i nagios.pp 但是当我尝试安装模块时出现错误:[root@monitor1:~] #semodule -i nagios.pp libsepol.print_missing_requirements: nagios 的全局要求是未满足:类型/属性 nagios_etc_t(没有这样的文件或目录)。 libsemanage.semanage_link_sandbox:链接包失败(没有这样的文件或目录)。模块:失败!还有其他想法吗?
    • 你能运行semodule -l 看看nagios 是否已经列出来了吗?如果是这样,请将您传递给-M 标志的名称nagios 更改为nagios1 之类的其他名称
    • 嘿!那行得通。我已经有一个名为 nagios 的模块,所以这就是发生这种情况的原因。 [root@monitor1:~] #semodule -i nagios1.pp [root@monitor1:~] # 谢谢!
    猜你喜欢
    • 2011-01-14
    • 2018-02-28
    • 2014-05-01
    • 2015-12-22
    • 1970-01-01
    • 2013-09-22
    • 1970-01-01
    • 2017-12-08
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode