From what I have seen posted in some forums and by Stephen Smalley, the correct way of to do transitions with "su" is by using the /sbin/runuser command. Example of what I use. /sbin/runuser - $NagiosUser -c "touch $NagiosVarDir/nagios.log $NagiosRetentionFile"
Ian Sam Hooker wrote: > Hi there, > > (I don't know if this'll get packed into the correct thread, but I tried. > It's in response to John Stevens' post bearing the same subject line from > 10/20/2005.) > > Thanks for posting this, John: we've been experiencing the same issue > using Dag's RPMs (which are generally excellent). The one thing I'd add is > that, under CentOS 4.2 and 4.3, I got syntax errors from the recommended > fix. (The quoting was what got me.) What worked in the end was to simply > ditch the double-quotes: > > sudo -u $Nagios touch $NagiosVar/nagios.log $NagiosSav > > Cheers, > > -sth > > sam hooker|[EMAIL PROTECTED]|http://www.noiseplant.com > > tail -f /var/llog/llama > > >> Hi All, >> Just in case this affects others on the list, I thought I would drop a >> > line. > >> I have a Centos 4 system running Nagios 1.3 as installed from the dag >> repository rpm. It has been working fine for a long time now (since I >> > sorted > >> out some typos in the config:( ). Last week I upgraded to the latest >> > Centos > >> 4.2. The first sign of any trouble was the system hung on boot, at the >> "Starting Nagios" message. After booting in interactive mode and NOT >> starting nagios, the system came up fine. Tried to start nagios with the >> init script and it gave me a message like: >> Your default context is user_u:system_r:unconfined_t. >> >> Do you want to choose a different one? [n] >> >> Accepting the default allowed nagios to start. After digging into the >> > init > >> script, I discovered that the only problem was the use of su to touch >> > the > >> various log files. The line looks like: >> su -l $Nagios -c "touch $NagiosVar/nagios.log $NagiosSav" >> and changing it to use sudo instead, fixed the problem. The sudo line >> > looks > >> like this: >> sudo -u $Nagios "touch $NagiosVar/nagios.log $NagiosSav" >> >> Now the system boots fine. The main reason for this (wild guess) is that >> > su > >> does not change the security context of the user invoking it to that of >> > the > >> user it is trying to be, but sudo does. The message is saying "well, you >> want to be the nagios user, but your security context is root's, care to >> change to something more apropriate?" WIth sudo, it all just changes. I >> > am > >> guessing (once again, wildly) that this is due to tighter context >> > checking > >> in this newer version of selinux. >> >> I thought I would let everyone now as I have not seen any messages like >> > this > >> so far on the list (or may have skimmed over them if they were not >> > clearly > >> referring to this problem). If someone could explain in more detail why >> > this > >> occurred I would be interested. >> >> BTW, is there any work being done on a SELinux security context for >> > nagios, > >> other than the web stuff hamideh daliri posted a while ago? It would >> > seem > >> like a good idea given the criticality of nagios in a network. Not that >> > I > >> have seen any reports of expoits to nagios, nsca or nrpe, but it would >> > be > >> nice tomake sure it plays well with the other children ;) >> >> Regards >> > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Nagios-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/nagios-users > ::: Please include Nagios version, plugin version (-v) and OS when reporting > any issue. > ::: Messages without supporting info will risk being sent to /dev/null > > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Nagios-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
