How to Fix Nagios Permission denied: exec of CGI failed Error

Question: I installed Nagios Core, and when I go to Nagios UI, I see the home page. But clicking on any of the menu links gives “Internal Server Error” message in the browser. However Apache error_log has “(13)Permission denied: exec of ‘/usr/local/nagios/sbin/status.cgi’ failed” error message. How can I fix this?

Answer: When you click on “Tactical Overview”, “Map”, “Hosts”, “Services”, or any other menu items from the Nagios UI side-bar, you might see the following error message in the browser.

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to 
complete your request.

Please contact the server administrator, root@localhost and inform them of the time the 
error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Now, if you check the Apache error_log, you might see the following “Permission denied error message, along with “Premature end of script headers” message.

# tail error_log
(13)Permission denied: exec of '/usr/local/nagios/sbin/status.cgi' failed, referer: http://192.168.1.10/nagios/side.php
Premature end of script headers: status.cgi, referer: http://192.168.1.10/nagios/side.php

(13)Permission denied: exec of '/usr/local/nagios/sbin/tac.cgi' failed, referer: http://192.168.1.10/nagios/side.php
Premature end of script headers: tac.cgi, referer: http://192.168.1.10/nagios/side.php

While the error message is obviously about permission, if you check the ls -l output of the file, permission will seem Ok, as it has execute permission for everybody.

ls -l /usr/local/nagios/sbin/status.cgi
-rwxrwxr-x. 1 nagios nagios 296232 Jul  1 22:53 /usr/local/nagios/sbin/status.cgi

So, why is this not getting executed?

The answer is: It is the SELinux context permission issue, and not the file’s standard execute permission issue.

You can try one of the following:

1. Disable SELinux

The simple and effective way for testing this issue is to disable the SELinux as shown below.

SELinux is currently enabled with “enforcing” mode.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Change the SELinux mode to “permissive”, which disables it.

# setenforce 0

After the above setenforce command, you can see that SELinux mode is changed to “permissive”.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Restart Apache and Nagios, and try accessing Nagios UI, it should work now.

2. Change the SELinux Context of the file

On your environment, if you can’t disable the SELinux for some security reason, you should set the appropriate SELinux permission to those file.

Use the -Z option along with ls to view the SELinux context as shown below.

# ls -Z /usr/local/nagios/sbin/status.cgi
-rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0   /usr/local/nagios/sbin/status.cgi

As per this bug report, it is because of the invalid SELinux permission. So, use the chcon command to change the SELinux context (i.e User, Role, Type and Level) for the Nagios CGI files.