Run semodule -DB to build a policy database without the dontaudit
rules.
Run semodule -B to build a policy database (with the dontaudit rules
included)
On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote:
> I'm trying to debug a Nagios plugin that isn't playing nicely with
> SELinux. It executes a system binary to get statistics about DHCP pool
> usage, and obviously SELinux stamps on that access and the plugin only
> returns partial data.
>
> In Permissive mode the plugin works, it Enforcing it doesn't. But in
> neither mode are there any debug messages in audit.log
>
> [jg4461@dhcp1 ~]$ sudo setenforce 0
> [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
> check_dhcpd_pools
> OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
> rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
> rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
> rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
> rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
> rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
> rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
>
> [jg4461@dhcp1 ~]$ sudo setenforce 1
> [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
> check_dhcpd_pools
> OK - all pools less than 80% full |
>
> Regardless of the SELinux mode, the same 3 log lines are printed in
> audit.log:
>
> type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0
> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/"
> cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=?
res=success'
> type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0
> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
> msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo"
hostname=? addr=?
> terminal=? res=success'
> type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0
> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
> msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo"
hostname=?
> addr=? terminal=? res=success'
>
>
> Anyone have any idea how I can see the deny messages and make a policy
> from them?
>
> Cheers,
> Jonathan
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux So execute
# semodule -DB
re-test it
# ausearch -m avc -ts recent
# semodule -B
Also we will need to add labeling for the check_dhcpd_pools plugin.