Sankasaurus » tutorial

Fighting with SELinux and Nagios

Peter Sankauskas — Sat, 02 May 2009 17:25:55 +0000

I can’t believe it, but I won! I have been trying to set up Nagios on a RHEL5 machine running SELinux and have been loosing the fight for the last 3 days. But today, I win! This is such a win, it is worth sharing.

Now that I have won though, I believe this is not Nagios specific at all, and if I had bothered to learn about SELinux, this may have been obvious. Anyway, the error Nagios was giving me was:

Error: Could not stat() command file ‘/usr/local/nagios/var/rw/nagios.cmd’!
The external command file may be missing, Nagios may not be running, and/or Nagios may not be checking external commands.
An error occurred while attempting to commit your command for processing.
Return from whence you came

As you may have already guess, the solution has nothing to do with the location or permissions of the file, the file was not missing, Nagios was running, and Nagios was checking external commands. The final line of the message is great though, and I can only hope we start to see more old English in error messages.

The problem of course, was that SELinux was enabled and stopping this blatant security violation. You can check to see if SELinux is on by running:

$ /usr/sbin/getenforce

Enforcing

If you got “Permissive” or “Disabled”, then this post is not for you. To see SELinux’s side of things, check out /var/log/messages:

setroubleshoot: SELinux is preventing ping (ping_t) “read write” to /usr/local/nagios/var/spool/checkresults/checkrXH96b (usr_t). For complete SELinux messages. run sealert -l 1ffc2533-42b5-4e04-b7ab-a81bb7d02040

setroubleshoot: SELinux is preventing ping (ping_t) “read write” to /usr/local/nagios/var/spool/checkresults/checkrZxsA1 (usr_t). For complete SELinux messages. run sealert -l 178ba2d4-0822-47eb-9e32-bfaa19ee3c4b

setroubleshoot: SELinux is preventing cmd.cgi (httpd_sys_script_t) “getattr” to /usr/local/nagios/var/rw/nagios.cmd (httpd_sys_content_t). For complete SELinux messages. run sealert -l 4df0946e-8816-4b90-a7d1-37e743697b9c

As you can see, SELinux is trying to give you a hint with that sealert bit, so you should take it.

$ sealert -l 1ffc2533-42b5-4e04-b7ab-a81bb7d02040

Summary:
SELinux is preventing ping (ping_t) “read write” to

/usr/local/nagios/var/spool/checkresults/checkrXH96b (usr_t).
Detailed Description:
… (removed from post)
Raw Audit Messages
host=myhost.myisp.host type=AVC msg=audit(1241217029.141:125305): avc:  denied  { read write } for  pid=32379 comm=”ping” path=”/usr/local/nagios/var/spool/checkresults/checkrXH96b” dev=sda3 ino=52894945 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file
host=myhost.myisp.host type=SYSCALL msg=audit(1241217029.141:125305): arch=c000003e syscall=59 success=yes exit=0 a0=153952a0 a1=15395330 a2=7fff75c5eb40 a3=0 items=0 ppid=32378 pid=32379 auid=503 uid=508 gid=508 euid=0 suid=0 fsuid=0 egid=508 sgid=508 fsgid=508 tty=(none) ses=1392 comm=”ping” exe=”/bin/ping” subj=user_u:system_r:ping_t:s0 key=(null)

That raw audit message is GOLD! There is some other information in there, but nothing about what the next step should be to create a policy and make it permanent. Using chron I have heard is a temporary fix. The solution is copying that raw audit message into an empty file and running audit2allow to create a policy:

$ cat > /tmp/tmp-nagiosping

host=myhost.myisp.host type=AVC msg=audit(1241217029.141:125305): avc:  denied  { read write } for  pid=32379 comm=”ping” path=”/usr/local/nagios/var/spool/checkresults/checkrXH96b” dev=sda3 ino=52894945 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file
host=myhost.myisp.host type=SYSCALL msg=audit(1241217029.141:125305): arch=c000003e syscall=59 success=yes exit=0 a0=153952a0 a1=15395330 a2=7fff75c5eb40 a3=0 items=0 ppid=32378 pid=32379 auid=503 uid=508 gid=508 euid=0 suid=0 fsuid=0 egid=508 sgid=508 fsgid=508 tty=(none) ses=1392 comm=”ping” exe=”/bin/ping” subj=user_u:system_r:ping_t:s0 key=(null)

* Ctrl-D *
$ audit2allow -M NagiosPing < /tmp/tmp-nagiosping
******************** IMPORTANT ***********************

To make this policy package active, execute:
semodule -i NagiosPing.pp

This creates a file call NagiosPing.pp which contains the SELinux policy needed to make these errors go away. The only thing left to do is to install this policy:

$ semodule -i NagiosPing.pp

If your setup was like mine, SELinux was actually preventing 3 different actions, needing 3 different policies. HA! That is easy now – just repeat the steps until Nagios is doing your bidding.

Django and Google App Engine Tutorial

Peter Sankauskas — Tue, 17 Feb 2009 19:45:00 +0000

Hi have been playing around with Google App Engine for a while now, and wanted to learn Django on a new application I am building. The two articles I started with are:

Both Django and GAE are being developed as I write this, so although these instructions are kind of recent, they are already out of date, or rely on you having knowledge of Django. Since there are a lot of others with no Python or Django experince wanting to learn, I thought I would make a tutorial that works as of today, but who knows a month from now or even tomorrow.

Note: This tutorial is written for Linux. Mac/Windows users will have to translate

Create django.zip

Django comes as a .tar.gz file, but we want a zip file to take advantage of the Zipimport library, so some conversion is needed.

Download the latest Django and untar the file (in this case, it is 1.0.2)
cd Django-1.0.2-final
Create the zip file, but without the admin section since App Enging supplies it’s own
zip -r ~/django.zip django -x ‘django/contrib/admin*’

Get the Helper

The App Engine Helper or Django is an open source bootstrapper for getting Django started on App Engine. Downloading it from the website will currently give you quite an old version (r52) which will not work in this tutorial. Instead, use subversion to get the latest (r74).

cd ~
svn export http://google-app-engine-django.googlecode.com/svn/trunk/ gae-django-tutorial
cd gae-django-tutorial
mv ~/django.zip .

Setup App Engine

As you would with any GAE application, edit the app.yaml file to refer to your application ID. The Helper also needs to know where your Google App Engine SDK is, since it is going to change how you start the development server, so create a link to it:

cd gae-django-tutorial
ln -s /path/to/google_appengine .google_appengine

Start the development server

Django has a different way of running the development server. Instead of using dev_appserver.py to start the dev server, do the following:

python manage.py runserver

If everything is running correctly, you should see something like:

INFO:root:Server: appengine.google.com
INFO:root:Checking for updates to the SDK.
INFO:root:The SDK is up to date.
INFO:root:Running application google-app-engine-django on port 8000: http://localhost:8000

However, if you are like me and saw an error like the following:

ImportError: No module named antlr3

Then you will need to install the antlr3 python module. Luckily this is easy.

Go to http://www.antlr.org/download/Python and download the latest zip
unzip antlr_python_runtime-3.1.zip
cd antlr_python_runtime-3.1
sudo python setup.py install

Lets see the site! When you go to http://localhost:8000/ you should see a page saying “It worked! Congratulations on your first Django-powered page.”
Pretty (un)impressive huh?

Ok, now lets start doing something. Kill the server by pressing Ctrl-C. The Django tutorial is the next stop, which involves creating the Polls Django app. You can read through there to get a full understanding. For simplicity, I am only what I did to get it working.

python manage.py startapp polls
cd polls

Edit models.py

from appengine_django.models import BaseModel
from google.appengine.ext import db

class Poll(BaseModel):
  question = db.StringProperty()
  pub_date = db.DateTimeProperty('date published')

class Choice(BaseModel):
  poll = db.ReferenceProperty(Poll)
  choice = db.StringProperty()
  votes = db.IntegerProperty()

Edit views.py (notice that order_by() from the Django tutorial is just order() here)

from django.template import Context, loader
from polls.models import Poll
from django.http import HttpResponse

def index(request):
  latest_poll_list = Poll.objects.all().order('-pub_date')[:5]
  t = loader.get_template('polls/index.html')
  c = Context({
    'latest_poll_list': latest_poll_list,
  })
  return HttpResponse(t.render(c))

cd ..
Edit urls.py and add to urlpatterns
(r’^polls/’, ‘polls.views.index’),
mkdir -p templates/polls
cd templates/polls

Create index.html

{% if latest_poll_list %}

{% for poll in latest_poll_list %}
  {{ poll.question }}
{% endfor %}

{% else %}
  No polls are available.
{% endif %}

cd ../..
Edit settings.py and add to INSTALLED_APPS
‘polls’,
Now you can run the dev server again:
python manage.py runserver
And go to:
http://localhost:8000/polls/
You should see the message “No polls are available.”

Adding some data

You can go through the rest of the Django Tutorial to fill out the rest of the views. One last thing to know is the admin site. To view it, go to:

http://localhost:8000/_ah/admin

Notice that the Datastore Viewer is empty – it doesn’t even know about our Poll or Choice Models. Don’t panic. Go back to your terminal, and terminate the dev server. Now run:

python manage.py shell

This brings up a special python shell with the Django environment set up for you. Now you can run:
>>> from polls.models import Poll, Choice
>>> import datetime
>>> p = Poll(question=”What’s up?”, pub_date=datetime.datetime.now())
>>> p.save()

You have just created a new Poll. To end the shell, press Ctrl-D.

If you start the dev server again (or if you never stopped it in the first place), you should be able to go to:
http://localhost:8000/polls/
to see you new Poll, and go to the admin site:
http://localhost:8000/_ah/admin/datastore
to see and create new Polls

Easy huh?