On Tue, 2009-11-10 at 11:17 -0800, John Oliver wrote:
On Tue, Nov 10, 2009 at 02:51:49PM +0100, Dominick Grift wrote:
> On Mon, 2009-11-09 at 15:27 -0800, John Oliver wrote:
> > [root@mda-services4 ~]# grep nagios /var/log/audit/audit.log |
> > audit2allow
> >
> >
> > #============= nagios_t ==============
> > allow nagios_t var_t:dir read;
> > [root@mda-services4 ~]# grep nagios /var/log/audit/audit.log |
> > audit2allow -M nagios
> > ******************** IMPORTANT ***********************
> > To make this policy package active, execute:
> >
> > semodule -i nagios.pp
> >
> > [root@mda-services4 ~]# semodule -i nagios.pp
> > libsepol.print_missing_requirements: nagios's global requirements were
> > not met: type/attribute nagios_t
> > libsemanage.semanage_link_sandbox: Link packages failed
> > semodule: Failed!
> >
> >
> >
> > What on Earth does that mean???
> >
> It means you (probably) did something that is not so smart:
>
> My guess is that you have overwritten the distributed nagios module.
Ahh!
Actually, the distributed module wasn't installed at all, as nagios was
installed after the fact. So, I removed mine and added the distributed
one, and nagios will start. However, there's still at least one rule
missing from the distributed module (and yes, I updated the selinux
related RPMs):
type=AVC msg=audit(1257880340.235:135261): avc: denied { read write }
for pid=15599 comm="ping"
path="/var/nagios/spool/checkresults/checkemlez9" dev=dm-0 ino=196622
scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0
tclass=file
[root@mda-services4 ~]# tail -50 /var/log/audit/audit.log | grep nagios
| audit2allow
#============= ping_t ==============
allow ping_t var_t:file { read write };
libselinux-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
selinux-policy-2.4.6-255.el5_4.1
libselinux-python-1.33.4-5.5.el5
selinux-policy-targeted-2.4.6-255.el5_4.1
Yes i bet the nagios policy is full of bugs.
A quick workaround to solve this issue is to label /var/nagios/spool/
type nagios_spool_t and then use audit2allow to allow ping rw
nagios_spool_t files:
echo "policy_module(mynagiospatch1, 0.0.1)" > mynagiospatch1.te
echo "require { type nagios_spool_t, ping_t; }" >> mynagiospatch1.te
echo "allow ping_t nagios_spool_t:file rw_file_perms;" >>
mynagiospatch1.te
echo "/var/nagios/spool(/.*)?
gen_context(system_u:object_r:nagios_spool_t, s0)" >> mynagiospatch1.te
make -f /usr/share/selinux/devel/Makefile mynagiospatch1.pp
semodule -i mynagiospatch1.pp
restorecon -R -v /var/nagios/spool
Note that this is a ugly workaround and it should be deinstalled as soon
as a solution is implemented in fedora policy (please report a bug)
My guess is that after this you will probably get more denials.
hth