I just came across this fabulous image manipulation program called Pixel, but it does not want to run or install under Fedora Core 6 (and I believe FC5, too). Problem is selinux is getting in the way. Pixel needs execmem privileges to install/run. Easiest thing to do now is to allow execmem with the following command:

sudo setsebool allow_execmem=1

You can always turn that off after running Pixel.

I love Nagios, but have been having issues with it running under SELinux targeted. I’ve finally made it work with no more AVC’s or other errors (so far!). Here is what I have done to get it to work:

1. Install nagios.
1. sudo yum install nagios
2. sudo yum install 'nagios-plugins-*'
2. Make changes to nagios configuration to account for your situation.
3. Make certain the permissions are correct.
1. User apache needs read access to cfg files in /etc/nagios.
2. User apache needs read access to web site files under /usr/share/nagios/html.
3. If using resouces.cfg, only nagios needs access to read, not apache!
4. For the nagios.cmd fifo pipe (under /var/spool/nagios/cmd), permissions are 660, owner = nagios, group = apache.
5. cgi files need to be executable by apache
6. plugins need to be executable by nagios
4. Set security contexts on files (all sone with sudo, of course)
1. chcon -R -t httpd_sys_content_t /usr/share/nagios/html
2. chcon -R -t nagios_etc_t /etc/nagios
3. chcon -R -t nagios_log_t /var/log/nagios
4. chcon -R -t var_spool_t /var/spool/nagios
5. chcon -R -t bin_t /usr/lib/nagios/plugins
6. chcon -t nagios_cgi_exec_t /usr/lib/nagios/cgi-bin/*.cgi
7. /usr/sbin/nagios has a security domain type of sbin_t
5. Apache alias is in /etc/httpd/conf.d/nagios.conf. Inspect and make changes as necessary. Restart httpd service.
6. The check_mem plugin was not working for me, it couldn’t find utils.pm. I had to add the following line to near the top of the script:
1. use lib "/usr/lib/nagios/plugins" ;
7. I needed to add some local security policy. Read on for details.

There seems to be some holes in the policy for nagios. These are easily corrected with a little help from checkmodule.

First, need to install the SELinux tools to create new policies. These are not installed by default.

1. sudo yum install checkpolicy
2. sudo yum install selinux-policy-devel

There is a nice tool for troubleshooting policy called setroubleshoot. It is available at Dan Walsh’s yum repo. See his blog entry for details. The setools are also quite helpful at inspecting policy (although I believe you need at least version 3 to inspect policy on fc6 where version 2.4 can inspect the audit logs).

I then went through the process of running/using nagios, inspecting the audit.log and taking the appropriate lines and running them through audit2allow -M

to generate the proper policy and then load the policy module. I had to do this process a number of times to make certain I captured all the AVC’s. I ended up with the following policy module (I’ve named it local, feel free to change its name if it conflicts. If you do, you need to make a change in the file, too).

module local 1.0.0;
require {
class fifo_file read;
class fifo_file getattr;
class fifo_file write;
class dir search;
class process { sigkill signal };
type httpd_t;
type nagios_cgi_t;
type ping_t;
type var_spool_t;
role system_r;
};

allow ping_t var_spool_t:fifo_file read;
allow httpd_t nagios_cgi_t:process { sigkill signal };
allow nagios_cgi_t var_spool_t:fifo_file getattr;
allow nagios_cgi_t var_spool_t:dir search;
allow nagios_cgi_t var_spool_t:fifo_file write;
After capturing this in the file local.te, make the policy package with:

% make -f /usr/share/selinux/devel/Makefile

This will ultimately create local.pp which then can be loaded by executing:

% sudo semodule -i local.pp

A good review of all of this can be found in the Red Hat SELinux FAQ.

I have to admit that I haven’t played with SELinux since a few releases back and there has been a lot of change since then. It’s now so much easier to write modular policy and incorporate that, along with some nice GUI tools to inspect the AVC’s. It’s only been a few hours, but I’m just starting to get the hang of it! And in the process, noticed something completely scary: Firefox trying to execute code on its stack! Now, I’m hoping it is a bug, or it’s SELinux 1, Intruders 0.

Here the entry from audit.log:

type=AVC msg=audit(1162142793.550:1565): avc: denied { execstack } for pid=4957 comm=”firefox-bin” scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process

I’m not sure why firefox would want to do this, so maybe it is one of the plugins?

Firefox specifics follow:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7

• DOM Inspector 1.8.0.7
• Web Developer 1.0.2
• Download Statusbar 0.9.4.3
• Map+ 1.1.0
• FireBug 0.4.1
• Open Link Host 1.3.1
• EditCSS 0.3.6
• JavaScript Debugger 0.9.87
• All-in-One Gestures 0.18.0
• Bookmarks Synchronizer 3 1.0.2
• Google Toolbar for Firefox 2.1.20060807L

BTW, I’m loving the new Gnome Desktop Effects in FC6!