Monday, January 18, 2021

Nagios Core - Error: Could not stat() command file '/usr/local/nagios/var/rw/nagios.cmd'!

 Setting up a new Nagios Core installation and I ran across the following error message:
Error: Could not stat() command file '/usr/local/nagios/var/rw/nagios.cmd'!

If you search for this error, you'll find a lot of posts saying to set SELinux to Permissive or Disabled. This (and many other SELinux issues) is easily solved while leaving SELinux Enforcing. First, verify that SELinux is the culprit: 
tail -f -n 0 /var/log/audit/audit.log

Could pipe to "grep denied" if you wanted. Do whatever you did to get the error again, and you should see some new lines come in like this:

type=AVC msg=audit(1609875518.415:72426): avc:  denied  { getattr } for  pid=951704 comm="cmd.cgi" path="/usr/local/nagios/var/rw/nagios.cmd" dev="dm-0" ino=68793599 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=fifo_file permissive=0
What you need to do is use audit2allow to build policy to instead allow the denied action. So copy the single offending line of audit.log and run the following:
# echo "<replace-with-the-denied-error-message>" | audit2allow -M <some-name>
So mine looked like:
# echo "type=AVC msg=audit(1609875518.415:72426): avc:  denied  { getattr } for  pid=951704 comm="cmd.cgi" path="/usr/local/nagios/var/rw/nagios.cmd" dev="dm-0" ino=68793599 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=fifo_file permissive=0" | audit2allow -M nagios_1
Then load the new policy:
# semodule -i nagios_1.pp
Wait a few seconds and the new policy will be in effect. Tail your audit.log and try the action again. Second time around I got a new error in the web-gui:
Error: Could not open command file '/usr/local/nagios/var/rw/nagios.cmd' for update! 
If you get another "avc denied" message take that and pipe it to audit2allow and load the new policy. Rinse/repeat until you stop getting denied messages and the action you were trying works. For the Nagios Core command I needed to do this 3 times total, but end result should be a working application and SELinux still enabled.
# echo <2nd-denied-log> | audit2allow -M nagios_2
# semodule -i nagios_2.pp
# echo <3rd-denied-log> | audit2allow -M nagios_3 
# semodule -i nagios_3.pp
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)