Fedora 19 Selinux policy stops nagios
Vadym Chepkov
vchepkov at gmail.com
Sun Jul 7 11:56:40 UTC 2013
On Jul 7, 2013, at 3:27 AM, Miroslav Grepl wrote:
> On 07/07/2013 08:52 AM, Dominick Grift wrote:
>> On Sun, 2013-07-07 at 00:56 -0400, Vadym Chepkov wrote:
>>> Hi,
>>>
>>> I just upgraded to Fedora 19 and found out nagios is incompatible with Selinux policy.
>>> One could blame nagios maintainers to not comply with SELinux, since they use /var/log/nagios location for work files:
>>>
>>> # grep /var/log /etc/nagios/nagios.cfg
>>> log_file=/var/log/nagios/nagios.log
>>> object_cache_file=/var/log/nagios/objects.cache
>>> precached_object_file=/var/log/nagios/objects.precache
>>> status_file=/var/log/nagios/status.dat
>>> temp_file=/var/log/nagios/nagios.tmp
>>> log_archive_path=/var/log/nagios/archives
>>> check_result_path=/var/log/nagios/spool/checkresults
>>> state_retention_file=/var/log/nagios/retention.dat
>>> debug_file=/var/log/nagios/nagios.debug
>>>
>> I would probably file a bugreport to fedora bugzilla for nagios, and ask
>> the packager to put the non-log files in more appropriate places
>> (/var/lib/nagios or /run/nagios maybe?), i would also cc. the fedora
>> selinux-policy maintainer (mgrepl) so that he can add selinux policy to
>> support the proper solution if needed.
> Yes, please open a new bug for nagios to fix locations.
It looks like one was open 5 years ago and was reopened 3 months ago:
https://bugzilla.redhat.com/show_bug.cgi?id=469758
I will just add comment it's not compatible with SELinux there.
>>
>> Type nagios_var_lib_t seems appropriate:
>>
>> allow nagios_t nagios_var_lib_t : file { ioctl read write create
>> getattr setattr lock append unlink link rename open } ;
>> allow nagios_t nagios_var_lib_t : dir { ioctl read write getattr lock
>> add_name remove_name search open } ;
>> allow nagios_t nagios_var_run_t : file { ioctl read write create
>> getattr setattr lock append unlink link rename open } ;
>> allow nagios_t nagios_var_run_t : dir { ioctl read write getattr lock
>> add_name remove_name search open } ;
>> allow nagios_t nagios_var_lib_t : fifo_file { ioctl read write create
>> getattr setattr lock append unlink link rename open } ;
>>
>> # semanage fcontext -l | grep nagios_var_lib_t
>> /usr/lib/pnp4nagios(/.*)? all files
>> system_u:object_r:nagios_var_lib_t:s0
>>
>>> but it used to work in Fedora 18 and now doesn't work at all.
>>>
>>> I tried to relocate some of the files to /var/spool/nagios, but it didn't help, SElinux doesn't allow to modify nagios_spool_t either.
>>> audit2allow suggested to allow nagios_t nagios_spool_t:file { rename write getattr read create unlink open };
>>>
>>> Is there some other type I overlooked so I can use it properly?
>>>
>>> Thanks,
>>> Vadym
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
More information about the selinux
mailing list