Fedora 19 Selinux policy stops nagios

Dominick Grift dominick.grift at gmail.com
Sun Jul 7 06:52:41 UTC 2013 

On Sun, 2013-07-07 at 00:56 -0400, Vadym Chepkov wrote:
> Hi,
> 
> I just upgraded to Fedora 19 and found out nagios is incompatible with Selinux policy.
> One could blame nagios maintainers to not comply with SELinux, since they use /var/log/nagios location for work files:
> 
> # grep /var/log /etc/nagios/nagios.cfg 
> log_file=/var/log/nagios/nagios.log
> object_cache_file=/var/log/nagios/objects.cache
> precached_object_file=/var/log/nagios/objects.precache
> status_file=/var/log/nagios/status.dat
> temp_file=/var/log/nagios/nagios.tmp
> log_archive_path=/var/log/nagios/archives
> check_result_path=/var/log/nagios/spool/checkresults
> state_retention_file=/var/log/nagios/retention.dat
> debug_file=/var/log/nagios/nagios.debug
> 

I would probably file a bugreport to fedora bugzilla for nagios, and ask
the packager to put the non-log files in more appropriate places
(/var/lib/nagios or /run/nagios maybe?), i would also cc. the fedora
selinux-policy maintainer (mgrepl) so that he can add selinux policy to
support the proper solution if needed.

Type nagios_var_lib_t seems appropriate:

   allow nagios_t nagios_var_lib_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ; 
   allow nagios_t nagios_var_lib_t : dir { ioctl read write getattr lock
add_name remove_name search open } ; 
   allow nagios_t nagios_var_run_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ; 
   allow nagios_t nagios_var_run_t : dir { ioctl read write getattr lock
add_name remove_name search open } ; 
   allow nagios_t nagios_var_lib_t : fifo_file { ioctl read write create
getattr setattr lock append unlink link rename open } ; 

# semanage fcontext -l | grep nagios_var_lib_t
/usr/lib/pnp4nagios(/.*)?                          all files
system_u:object_r:nagios_var_lib_t:s0 

> but it used to work in Fedora 18 and now doesn't work at all.
> 
> I tried to relocate some of the files to /var/spool/nagios, but it didn't help, SElinux doesn't allow to modify nagios_spool_t either.
> audit2allow suggested to allow nagios_t nagios_spool_t:file { rename write getattr read create unlink open };
> 
> Is there some other type I overlooked so I can use it properly?
> 
> Thanks,
> Vadym
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list