Icinga2 ping append var_lib_t

Lee Clemens java at leeclemens.net
Sat May 9 20:03:10 UTC 2015 

Hello,

I am running Icinga2 and /bin/ping is attempting to append to /var/lib/icinga2/api/log/current - which is being denied by selinux.

CentOS 6.6
icinga2-common-2.3.4-1.snapshot201504272021.el6.x86_64
icinga2-bin-2.3.4-1.snapshot201504272021.el6.x86_64
icinga2-2.3.4-1.snapshot201504272021.el6.x86_64


type=AVC msg=audit(1430519487.117:16517): avc:  denied  { append } for  pid=4008 comm="ping" path="/var/lib/icinga2/api/log/current" dev=xvda1 ino=74447 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

May  1 18:31:27 server setroubleshoot: SELinux is preventing /bin/ping from append access on the file /var/lib/icinga2/api/log/current. For complete SELinux messages. run sealert -l 3e90f79d-1a59-405d-80f7-b96a9b8d59b2


[root at server ~]# sealert -l 3e90f79d-1a59-405d-80f7-b96a9b8d59b2
SELinux is preventing /bin/ping from append access on the file /var/lib/icinga2/api/log/current.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore ping trying to append access the current file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /bin/ping /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that ping should be allowed append access on the current file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ping /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


[root at server ~]# grep ping /var/log/audit/audit.log | audit2allow


#============= ping_t ==============
allow ping_t var_lib_t:file append;



I was able to 'fix' it with (this seemed better than allowing ping to append to all var_lib_t files):
[root at server ~]# semanage fcontext -a -t var_log_t "/var/lib/icinga2/api/log(/.*)?"
[root at server ~]# restorecon -Rv /var/lib/icinga2/api/log


Please let me know if this information should be provided to the icinga team rather than here, or if any other information would be useful.


Thanks,
Lee Clemens

More information about the selinux mailing list