selinux 阻止 nagios 配置被访问

selinux prevents nagios config from being accessed

我是 运行 centos 7 下的 nagios 4。在禁用 SELinux 的情况下一切正常。但是当我启用它时,我在界面中收到此错误:

Whoops!

Error: Could not open CGI config file '/etc/nagios/cgi.cfg' for reading!

Here are some things you should check in order to resolve this error:

Make sure you've installed a CGI config file in its proper location. See the error message about for details on where the CGI is expecting to find the configuration file. A sample CGI configuration file (named cgi.cfg) can be found in the sample-config/ subdirectory of the Nagios source code distribution.
Make sure the user your web server is running as has permission to read the CGI config file.
Make sure you read the documentation on installing and configuring Nagios thoroughly before continuing. If all else fails, try sending a message to one of the mailing lists. More information can be found at https://www.nagios.org.

我尝试检查 audit2why 以查看是否可以找到有关如何处理此问题的线索:

我看到了这个输出:

type=AVC msg=audit(1444272414.200:15955): avc:  denied  { read } for  pid=9090 comm="status.cgi" name="cgi.cfg" dev="xvda1" ino=19230613 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nagios_etc_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

    type=AVC msg=audit(1444272474.545:15956): avc:  denied  { read } for  pid=9116 comm="status.cgi" name="cgi.cfg" dev="xvda1" ino=19230613 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nagios_etc_t:s0 tclass=file

            Was caused by:
                    Missing type enforcement (TE) allow rule.

                    You can use audit2allow to generate a loadable module to allow this access.

如果我检查 audit2allow,这就是我所看到的:

[root@monitor1:~] #grep nagios /var/log/audit/audit.log | audit2allow


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t nagios_etc_t:file { read getattr open };

#============= httpd_t ==============
allow httpd_t admin_home_t:file { write getattr open };
allow httpd_t etc_t:dir write;
allow httpd_t etc_t:file write;
allow httpd_t httpd_sys_rw_content_t:fifo_file getattr;
allow httpd_t usr_t:fifo_file { write getattr open };

但我对 SELinux 不是很了解。所以我希望我能得到一些关于如何解决这个问题的建议。

谢谢

grep 单词 nagiosaudit.log 并使用 -M 标志

将其通过管道传输到 audit2allow
grep nagios /var/log/audit/audit.log | audit2allow -M nagios

这应该创建 2 个文件:类型强制文件 nagios.te 和策略包文件 nagios.pp

使用semodule命令加载策略包:

semodule -i nagios.pp

大功告成。

来源: