No audit lines produced

Miroslav Grepl mgrepl at redhat.com
Wed May 16 16:38:18 UTC 2012 

On 05/15/2012 12:09 PM, Dominick Grift wrote:
> Run semodule -DB to build a policy database without the dontaudit rules.
> Run semodule -B to build a policy database (with the dontaudit rules
> included)
>
> On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote:
>> I'm trying to debug a Nagios plugin that isn't playing nicely with
>> SELinux. It executes a system binary to get statistics about DHCP pool
>> usage, and obviously SELinux stamps on that access and the plugin only
>> returns partial data.
>>
>> In Permissive mode the plugin works, it Enforcing it doesn't. But in
>> neither mode are there any debug messages in audit.log
>>
>> [jg4461 at dhcp1 ~]$ sudo setenforce 0
>> [jg4461 at dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
>> check_dhcpd_pools
>> OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
>> rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
>> rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
>> rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
>> rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
>> rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
>> rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
>>
>> [jg4461 at dhcp1 ~]$ sudo setenforce 1
>> [jg4461 at dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
>> check_dhcpd_pools
>> OK - all pools less than 80% full |
>>
>> Regardless of the SELinux mode, the same 3 log lines are printed in
>> audit.log:
>>
>> type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0
>> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/"
>> cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success'
>> type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0
>> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
>> msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=?
>> terminal=? res=success'
>> type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0
>> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
>> msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=?
>> addr=? terminal=? res=success'
>>
>>
>> Anyone have any idea how I can see the deny messages and make a policy
>> from them?
>>
>> Cheers,
>> Jonathan
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
So execute

# semodule -DB
re-test it
# ausearch -m avc -ts recent
# semodule -B


Also we will need to add labeling for the check_dhcpd_pools plugin.

More information about the selinux mailing list