Question: I installed Nagios Core, and when I go to Nagios UI, I see the home page. But clicking on any of the menu links gives “Internal Server Error” message in the browser. However Apache error_log has “(13)Permission denied: exec of ‘/usr/local/nagios/sbin/status.cgi’ failed” error message. How can I fix this?
Answer: When you click on “Tactical Overview”, “Map”, “Hosts”, “Services”, or any other menu items from the Nagios UI side-bar, you might see the following error message in the browser.
Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log.
Now, if you check the Apache error_log, you might see the following “Permission denied error message, along with “Premature end of script headers” message.
# tail error_log (13)Permission denied: exec of '/usr/local/nagios/sbin/status.cgi' failed, referer: http://192.168.1.10/nagios/side.php Premature end of script headers: status.cgi, referer: http://192.168.1.10/nagios/side.php (13)Permission denied: exec of '/usr/local/nagios/sbin/tac.cgi' failed, referer: http://192.168.1.10/nagios/side.php Premature end of script headers: tac.cgi, referer: http://192.168.1.10/nagios/side.php
While the error message is obviously about permission, if you check the ls -l output of the file, permission will seem Ok, as it has execute permission for everybody.
ls -l /usr/local/nagios/sbin/status.cgi -rwxrwxr-x. 1 nagios nagios 296232 Jul 1 22:53 /usr/local/nagios/sbin/status.cgi
So, why is this not getting executed?
The answer is: It is the SELinux context permission issue, and not the file’s standard execute permission issue.
You can try one of the following:
1. Disable SELinux
The simple and effective way for testing this issue is to disable the SELinux as shown below.
SELinux is currently enabled with “enforcing” mode.
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
Change the SELinux mode to “permissive”, which disables it.
# setenforce 0
After the above setenforce command, you can see that SELinux mode is changed to “permissive”.
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
Restart Apache and Nagios, and try accessing Nagios UI, it should work now.
2. Change the SELinux Context of the file
On your environment, if you can’t disable the SELinux for some security reason, you should set the appropriate SELinux permission to those file.
Use the -Z option along with ls to view the SELinux context as shown below.
# ls -Z /usr/local/nagios/sbin/status.cgi -rwxrwxr-x. nagios nagios unconfined_u:object_r:usr_t:s0 /usr/local/nagios/sbin/status.cgi
As per this bug report, it is because of the invalid SELinux permission. So, use the chcon command to change the SELinux context (i.e User, Role, Type and Level) for the Nagios CGI files.