Problems auditing yum behaviour

Daniel J Walsh dwalsh at redhat.com
Tue Jan 17 16:23:59 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/17/2012 10:00 AM, Jonathan Gazeley wrote:
> Hi list,
> 
> We recently migrated all our servers from CentOS 5 to 6 and in the 
> process we decided to default to keeping SELinux on, and learning
> how to configure it properly :)
> 
> So far we've had good success with setting booleans and writing
> custom policies, except for one Nagios plugin that checks yum
> status[1]. On my boxes, the check_yum plugin is executed under NRPE
> as a non-privileged user. This works fine with SELinux in
> permissive mode.
> 
> I've checked the audit log and this message is produced every time
> the plugin tries to run:
> 
> type=AVC msg=audit(1326802289.462:4127902): avc:  denied  { read
> write } for  pid=3278 comm="yum" name="__db.001" dev=sda3
> ino=8128221 
> scontext=unconfined_u:system_r:nagios_services_plugin_t:s0 
> tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file 
> type=SYSCALL msg=audit(1326802289.462:4127902): arch=c000003e
> syscall=2 success=no exit=-13 a0=1e85440 a1=2 a2=0 a3=16 items=0
> ppid=3277 pid=3278 auid=56933 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=87175 comm="yum"
> exe="/usr/bin/python" 
> subj=unconfined_u:system_r:nagios_services_plugin_t:s0 key=(null)
> 
> Running this through audit2allow produces this output:
> 
> #============= nagios_services_plugin_t ============== #!!!! This
> avc is allowed in the current policy allow nagios_services_plugin_t
> rpm_var_lib_t:file { read write };
> 
> It says the AVC is already allowed, but to make sure I packaged it
> and loaded the new module. But, the AVC is still blocked and the
> plugin can't run.
> 
> I've tried running semodule -DB to force dontaudit entries to be
> logged to make sure I haven't missed anything that was being
> blocked silently.
> 
> Am I misisng something else, or is something wrong?
> 
> Thanks, Jonathan
> 
> [1] 
> http://exchange.nagios.org/directory/Plugins/Uncategorized/Operating-Systems/Linux/Check_Yum/details
>
>  -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
Does audit2why say anything?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8VoJ8ACgkQrlYvE4MpobNYwwCgzMdiNDenCfZXlzsvyyAPhtlJ
tY0AoMludKDic/ApSs0Oo8nT4SLOFpfK
=iLPo
-----END PGP SIGNATURE-----

More information about the selinux mailing list