2015-10-08 53 views
2

我在centos 7下運行nagios 4.並且在禁用SELinux時一切正常。但是,當我打開它,我在接口收到此錯誤:selinux防止訪問nagios配置

Whoops! 

Error: Could not open CGI config file '/etc/nagios/cgi.cfg' for reading! 

Here are some things you should check in order to resolve this error: 

Make sure you've installed a CGI config file in its proper location. See the error message about for details on where the CGI is expecting to find the configuration file. A sample CGI configuration file (named cgi.cfg) can be found in the sample-config/ subdirectory of the Nagios source code distribution. 
Make sure the user your web server is running as has permission to read the CGI config file. 
Make sure you read the documentation on installing and configuring Nagios thoroughly before continuing. If all else fails, try sending a message to one of the mailing lists. More information can be found at https://www.nagios.org. 

我試着檢查audit2why,看看我是否能得到關於如何處理這樣的線索:

而且我看到這個輸出:

type=AVC msg=audit(1444272414.200:15955): avc: denied { read } for pid=9090 comm="status.cgi" name="cgi.cfg" dev="xvda1" ino=19230613 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nagios_etc_t:s0 tclass=file 

     Was caused by: 
       Missing type enforcement (TE) allow rule. 

       You can use audit2allow to generate a loadable module to allow this access. 

    type=AVC msg=audit(1444272474.545:15956): avc: denied { read } for pid=9116 comm="status.cgi" name="cgi.cfg" dev="xvda1" ino=19230613 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nagios_etc_t:s0 tclass=file 

      Was caused by: 
        Missing type enforcement (TE) allow rule. 

        You can use audit2allow to generate a loadable module to allow this access. 

如果我檢查audit2allow,這是我所看到的:

[[email protected]:~] #grep nagios /var/log/audit/audit.log | audit2allow 


#============= httpd_sys_script_t ============== 
allow httpd_sys_script_t nagios_etc_t:file { read getattr open }; 

#============= httpd_t ============== 
allow httpd_t admin_home_t:file { write getattr open }; 
allow httpd_t etc_t:dir write; 
allow httpd_t etc_t:file write; 
allow httpd_t httpd_sys_rw_content_t:fifo_file getattr; 
allow httpd_t usr_t:fifo_file { write getattr open }; 

但我不是真正的SELinux知識。所以我希望能得到一些關於如何解決這個問題的建議。

感謝

回答

2

grepaudit.log的單詞nagios和管道將它導入audit2allow-M標誌

grep nagios /var/log/audit/audit.log | audit2allow -M nagios 

這應該創建2個文件:一個類型強制文件nagios.te和一攬子政策文件nagios.pp

使用 semodule命令加載策略包:
semodule -i nagios.pp 

你完成了。

來源:

+0

嘿!謝謝!我試了一下。 [root @ monitor1:〜] #grep nagios /var/log/audit/audit.log | audit2allow -M nagios ********************重要*********************** 爲了使這個一攬子政策積極,執行: semodule -i nagios.pp 但是,當我嘗試安裝,我得到一個錯誤的模塊: [根@ MONITOR1:〜] #semodule -i nagios.pp libsepol.print_missing_requirements:不符合nagios的全局要求:類型/屬性nagios_etc_t(沒有這樣的文件或目錄)。 libsemanage.semanage_link_sandbox:鏈接包失敗(無此類文件或目錄)。 semodule:失敗! 還有其他想法嗎? – bluethundr

+1

你可以運行'semodule -l',看看'nagios'是否已經列出?如果是這樣,請將您傳遞給'-M'標誌的名稱'nagios'改爲'nagios1' –

+0

嘿!那工作。我已經有一個名爲nagios的模塊,所以這就是爲什麼發生這種情況。 [root @ monitor1:〜] #semodule -i nagios1.pp [root @ monitor1:〜]# Thanks! – bluethundr