Hi,
I observe two related AVC in Fedora 20 (although to be fair, Fedora 19 also had this issue):
---- time->Tue Jan 7 02:17:09 2014 type=SYSCALL msg=audit(1389061029.116:92): arch=c000003e syscall=59 success=yes exit=0 a0=2623760 a1=26237c0 a2=261fa10 a3=7fff3197ecb0 items=0 ppid=1580 pid=1581 auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="check_ping" exe="/usr/lib64/nagios/plugins/check_ping" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null) type=AVC msg=audit(1389061029.116:92): avc: denied { read write } for pid=1581 comm="check_ping" path="/var/spool/nagios/checkresults/checkMLYIdJ" dev="dm-1" ino=643 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file ---- time->Tue Jan 7 02:17:09 2014 type=SYSCALL msg=audit(1389061029.132:93): arch=c000003e syscall=59 success=yes exit=0 a0=7f59269e4320 a1=7f59269e4360 a2=7fff689f3020 a3=7f5924a98a10 items=0 ppid=1581 pid=1582 auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="ping" exe="/usr/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null) type=AVC msg=audit(1389061029.132:93): avc: denied { read write } for pid=1582 comm="ping" path="/var/spool/nagios/checkresults/checkMLYIdJ" dev="dm-1" ino=643 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
I assume first one is deficiency of the selinux policy - plugin check_ping should be able to create work files somewhere. If /var/spool/nagios is not a proper place, then some other location should be used, but the choice is limited:
# semanage fcontext -l|grep nagios|grep /var /var/log/nagios(/.*)? all files system_u:object_r:nagios_log_t:s0 /var/log/netsaint(/.*)? all files system_u:object_r:nagios_log_t:s0 /var/run/nagios.* all files system_u:object_r:nagios_var_run_t:s0 /var/spool/nagios(/.*)? all files system_u:object_r:nagios_spool_t:s0
The send one is probably some file decriptor leak, because ping utility doesn’t actually supply output to the temporary file.
Does anybody use nagios in SELinux environment? check_ping seems like a very basic plugin.
Thanks, Vadym
On 01/07/2014 03:32 AM, Vadym Chepkov wrote:
time->Tue Jan 7 02:17:09 2014 type=SYSCALL msg=audit(1389061029.116:92): arch=c000003e syscall=59 success=yes exit=0 a0=2623760 a1=26237c0 a2=261fa10 a3=7fff3197ecb0 items=0 ppid=1580 pid=1581 auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="check_ping" exe="/usr/lib64/nagios/plugins/check_ping" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null) type=AVC msg=audit(1389061029.116:92): avc: denied { read write } for pid=1581 comm="check_ping" path="/var/spool/nagios/checkresults/checkMLYIdJ" dev="dm-1" ino=643 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
These make sense to add.
type=SYSCALL msg=audit(1389061029.132:93): arch=c000003e syscall=59 success=yes exit=0 a0=7f59269e4320 a1=7f59269e4360 a2=7fff689f3020 a3=7f5924a98a10 items=0 ppid=1581 pid=1582 auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="ping" exe="/usr/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null) type=AVC msg=audit(1389061029.132:93): avc: denied { read write } for pid=1582 comm="ping" path="/var/spool/nagios/checkresults/checkMLYIdJ" dev="dm-1" ino=643 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
Vadym, do you also need to have these permissions to make it working. I mean
allow ping_t nagios_spool_t:file rw_inherited_file_perms;
We already have
nagios_dontaudit_rw_log(ping_t) nagios_dontaudit_rw_pipes(ping_t) nagios_rw_inerited_tmp_files(ping_t)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/06/2014 09:32 PM, Vadym Chepkov wrote:
Hi,
I observe two related AVC in Fedora 20 (although to be fair, Fedora 19 also had this issue):
---- time->Tue Jan 7 02:17:09 2014 type=SYSCALL msg=audit(1389061029.116:92): arch=c000003e syscall=59 success=yes exit=0 a0=2623760 a1=26237c0 a2=261fa10 a3=7fff3197ecb0 items=0 ppid=1580 pid=1581 auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="check_ping" exe="/usr/lib64/nagios/plugins/check_ping" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null) type=AVC msg=audit(1389061029.116:92): avc: denied { read write } for pid=1581 comm="check_ping" path="/var/spool/nagios/checkresults/checkMLYIdJ" dev="dm-1" ino=643 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file ---- time->Tue Jan 7 02:17:09 2014 type=SYSCALL msg=audit(1389061029.132:93): arch=c000003e syscall=59 success=yes exit=0 a0=7f59269e4320 a1=7f59269e4360 a2=7fff689f3020 a3=7f5924a98a10 items=0 ppid=1581 pid=1582 auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="ping" exe="/usr/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null) type=AVC msg=audit(1389061029.132:93): avc: denied { read write } for pid=1582 comm="ping" path="/var/spool/nagios/checkresults/checkMLYIdJ" dev="dm-1" ino=643 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
I assume first one is deficiency of the selinux policy - plugin check_ping should be able to create work files somewhere. If /var/spool/nagios is not a proper place, then some other location should be used, but the choice is limited:
# semanage fcontext -l|grep nagios|grep /var /var/log/nagios(/.*)? all files system_u:object_r:nagios_log_t:s0 /var/log/netsaint(/.*)? all files system_u:object_r:nagios_log_t:s0 /var/run/nagios.* all files system_u:object_r:nagios_var_run_t:s0 /var/spool/nagios(/.*)? all files system_u:object_r:nagios_spool_t:s0
The send one is probably some file decriptor leak, because ping utility doesn’t actually supply output to the temporary file.
Does anybody use nagios in SELinux environment? check_ping seems like a very basic plugin.
Thanks, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This could be a bash direction where we want to get the output of the ping command into /var/spool/nagios/checkresults/checkMLYIdJ
I would open a bugzilla on this.
selinux@lists.fedoraproject.org