nagios_log_t missing

Farkas Levente lfarkas at bppiac.hu
Wed Apr 27 09:21:33 UTC 2005 

Daniel J Walsh wrote:
> Farkas Levente wrote:
> 
>> hi,
>> there is a nagios_log_t and used in nagios.fc but never defined 
>> (missing). so when we try to apply it we got these errors:
>> ---------------------------------------------
>> # chcon -R -t nagios_log_t /var/log/nagios
>> chcon: failed to change context of /var/log/nagios to 
>> system_u:object_r:nagios_log_t: Invalid argument
>> chcon: failed to change context of /var/log/nagios/rw to 
>> system_u:object_r:nagios_log_t: Invalid argument
>> chcon: failed to change context of /var/log/nagios/archives to 
>> system_u:object_r:nagios_log_t: Invalid argument
>> chcon: failed to change context of /var/log/nagios/.bash_history to 
>> user_u:object_r:nagios_log_t: Invalid argument
>> ---------------------------------------------
>> how can i fix it?
>> dan could you create updated rpms which fix it in 
>> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/ ?:-)
>> yours.
>>
> nagios policy is not used in RHEL4.  It should run unconfined_t.  We are 
> only supporting the subset of network daemons in targeted policy.
> 
> Using strict or other policies in RHEL4 requires a separate support 
> contract, professional services engagement.

ok. i only think that if nagios_log_t used in the current 
selinux-policy-targeted than (in nagios.fc) than it should have to be 
defined also. but it's definition currently missing from 
selinux-policy-targeted, which is imho a bug. that's what i'd like to 
report.
another thing even if nagios run in unconfined_t is ok since the log 
files can be generated and the daemon is running, but the web interface 
of nagios not working since it's try to read it's log files under 
/var/log/nagios which is currently var_log_t (inherited from it's 
parent). so currently i've a few options:
- add a local.te as:
   allow httpd_sys_script_t var_log_t:dir search;
   allow httpd_sys_script_t var_log_t:file { getattr read };
- change /var/log/nagios to httpd_sys_content_t and add only
   allow httpd_sys_script_t var_log_t:dir search;
- change /var/log/nagios to nagios_log_t and add
   allow httpd_sys_script_t var_log_t:dir search;
   allow httpd_sys_script_t nagios_log_t:file { getattr read };
and imho the best solution would be to add this last one to the global 
policy.
yours.

just my 2c.

-- 
   Levente                               "Si vis pacem para bellum!"

More information about the selinux mailing list