Problems auditing yum behaviour

Miroslav Grepl mgrepl at redhat.com
Tue Jan 17 18:04:52 UTC 2012 

On 01/17/2012 03:00 PM, Jonathan Gazeley wrote:
> Hi list,
>
> We recently migrated all our servers from CentOS 5 to 6 and in the 
> process we decided to default to keeping SELinux on, and learning how 
> to configure it properly :)
>
> So far we've had good success with setting booleans and writing custom 
> policies, except for one Nagios plugin that checks yum status[1]. On 
> my boxes, the check_yum plugin is executed under NRPE as a 
> non-privileged user. This works fine with SELinux in permissive mode.
>
> I've checked the audit log and this message is produced every time the 
> plugin tries to run:
>
> type=AVC msg=audit(1326802289.462:4127902): avc:  denied  { read write 
> } for  pid=3278 comm="yum" name="__db.001" dev=sda3 ino=8128221 
> scontext=unconfined_u:system_r:nagios_services_plugin_t:s0 
> tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
> type=SYSCALL msg=audit(1326802289.462:4127902): arch=c000003e 
> syscall=2 success=no exit=-13 a0=1e85440 a1=2 a2=0 a3=16 items=0 
> ppid=3277 pid=3278 auid=56933 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) ses=87175 comm="yum" exe="/usr/bin/python" 
> subj=unconfined_u:system_r:nagios_services_plugin_t:s0 key=(null)
>
> Running this through audit2allow produces this output:
>
> #============= nagios_services_plugin_t ==============
> #!!!! This avc is allowed in the current policy
> allow nagios_services_plugin_t rpm_var_lib_t:file { read write };
>
> It says the AVC is already allowed, but to make sure I packaged it and 
> loaded the new module. But, the AVC is still blocked and the plugin 
> can't run.
>
> I've tried running semodule -DB to force dontaudit entries to be 
> logged to make sure I haven't missed anything that was being blocked 
> silently.
>
> Am I misisng something else, or is something wrong?
>
> Thanks,
> Jonathan
>
> [1] 
> http://exchange.nagios.org/directory/Plugins/Uncategorized/Operating-Systems/Linux/Check_Yum/details
> -- 
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I guess it works in permissive mode, right?

Could you try these steps

# semodule -d your_local_policy
# semanage permissive -a nagios_services_plugin_t
# setenforce 1
# semodule -DB

and try if this works. If so, could you send me your compressed 
/var/log/audit/audit.log?


Regards,
Miroslav

More information about the selinux mailing list