Problems auditing yum behaviour
Daniel J Walsh
dwalsh at redhat.com
Tue Jan 17 16:23:59 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/17/2012 10:00 AM, Jonathan Gazeley wrote:
> Hi list,
>
> We recently migrated all our servers from CentOS 5 to 6 and in the
> process we decided to default to keeping SELinux on, and learning
> how to configure it properly :)
>
> So far we've had good success with setting booleans and writing
> custom policies, except for one Nagios plugin that checks yum
> status[1]. On my boxes, the check_yum plugin is executed under NRPE
> as a non-privileged user. This works fine with SELinux in
> permissive mode.
>
> I've checked the audit log and this message is produced every time
> the plugin tries to run:
>
> type=AVC msg=audit(1326802289.462:4127902): avc: denied { read
> write } for pid=3278 comm="yum" name="__db.001" dev=sda3
> ino=8128221
> scontext=unconfined_u:system_r:nagios_services_plugin_t:s0
> tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
> type=SYSCALL msg=audit(1326802289.462:4127902): arch=c000003e
> syscall=2 success=no exit=-13 a0=1e85440 a1=2 a2=0 a3=16 items=0
> ppid=3277 pid=3278 auid=56933 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=87175 comm="yum"
> exe="/usr/bin/python"
> subj=unconfined_u:system_r:nagios_services_plugin_t:s0 key=(null)
>
> Running this through audit2allow produces this output:
>
> #============= nagios_services_plugin_t ============== #!!!! This
> avc is allowed in the current policy allow nagios_services_plugin_t
> rpm_var_lib_t:file { read write };
>
> It says the AVC is already allowed, but to make sure I packaged it
> and loaded the new module. But, the AVC is still blocked and the
> plugin can't run.
>
> I've tried running semodule -DB to force dontaudit entries to be
> logged to make sure I haven't missed anything that was being
> blocked silently.
>
> Am I misisng something else, or is something wrong?
>
> Thanks, Jonathan
>
> [1]
> http://exchange.nagios.org/directory/Plugins/Uncategorized/Operating-Systems/Linux/Check_Yum/details
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Does audit2why say anything?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8VoJ8ACgkQrlYvE4MpobNYwwCgzMdiNDenCfZXlzsvyyAPhtlJ
tY0AoMludKDic/ApSs0Oo8nT4SLOFpfK
=iLPo
-----END PGP SIGNATURE-----
More information about the selinux
mailing list