SELinux and Nagios

Daniel J Walsh dwalsh at redhat.com
Tue Jan 7 13:41:14 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/06/2014 09:32 PM, Vadym Chepkov wrote:
> Hi,
> 
> I observe two related AVC in Fedora 20 (although to be fair, Fedora 19 also
> had this issue):
> 
> ---- time->Tue Jan  7 02:17:09 2014 type=SYSCALL
> msg=audit(1389061029.116:92): arch=c000003e syscall=59 success=yes exit=0
> a0=2623760 a1=26237c0 a2=261fa10 a3=7fff3197ecb0 items=0 ppid=1580 pid=1581
> auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996
> sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="check_ping"
> exe="/usr/lib64/nagios/plugins/check_ping"
> subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null) type=AVC
> msg=audit(1389061029.116:92): avc:  denied  { read write } for  pid=1581
> comm="check_ping" path="/var/spool/nagios/checkresults/checkMLYIdJ"
> dev="dm-1" ino=643 scontext=system_u:system_r:nagios_services_plugin_t:s0
> tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file ---- time->Tue Jan
> 7 02:17:09 2014 type=SYSCALL msg=audit(1389061029.132:93): arch=c000003e
> syscall=59 success=yes exit=0 a0=7f59269e4320 a1=7f59269e4360
> a2=7fff689f3020 a3=7f5924a98a10 items=0 ppid=1581 pid=1582 auid=4294967295
> uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996
> ses=4294967295 tty=(none) comm="ping" exe="/usr/bin/ping"
> subj=system_u:system_r:ping_t:s0 key=(null) type=AVC
> msg=audit(1389061029.132:93): avc:  denied  { read write } for  pid=1582
> comm="ping" path="/var/spool/nagios/checkresults/checkMLYIdJ" dev="dm-1"
> ino=643 scontext=system_u:system_r:ping_t:s0
> tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
> 
> 
> I assume first one is deficiency of the selinux policy - plugin check_ping
> should be able to create work files somewhere. If /var/spool/nagios is not
> a proper place, then some other location should be used, but the choice is
> limited:
> 
> # semanage fcontext -l|grep nagios|grep /var /var/log/nagios(/.*)?
> all files          system_u:object_r:nagios_log_t:s0 
> /var/log/netsaint(/.*)?                            all files
> system_u:object_r:nagios_log_t:s0 /var/run/nagios.*
> all files          system_u:object_r:nagios_var_run_t:s0 
> /var/spool/nagios(/.*)?                            all files
> system_u:object_r:nagios_spool_t:s0
> 
> 
> The send one is probably some file decriptor leak, because ping utility
> doesn’t actually supply output to the temporary file.
> 
> Does anybody use nagios in SELinux environment? check_ping seems like a
> very basic plugin.
> 
> Thanks, Vadym
> 
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

This could be a bash direction where we want to get the output of the ping
command into /var/spool/nagios/checkresults/checkMLYIdJ

I would open a bugzilla on this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLMA/oACgkQrlYvE4MpobN8dgCePG8i5gWzfJ6pXA+U24ZsjKIO
xtoAoIIw+B0hSfaD7HEjt20xTd++Kafj
=b2S/
-----END PGP SIGNATURE-----

More information about the selinux mailing list