Bloody selinux on Fedora 8
Ian Lists
ian-list at securitypimp.com
Fri Jan 18 15:06:47 CET 2008
----- "mjn" <mjn at umn.edu> wrote:
> Nagios folks-
>
> Has anyone resolved all of the selinux issues when installing nagios
>
> on Fedora 8?
>
> Specifically, I am getting these:
>
> type=AVC msg=audit(1200663995.088:64): avc: denied { read } for
> pid=3488 comm="ping" name="nagios.cmd" dev=dm-0 ino=16652317
> scontext=system_u:system_r:ping_t:s0
> tcontext=system_u:object_r:nagios_log_t:s0 tclass=fifo_file
>
> type=AVC msg=audit(1200657768.283:14207): avc: denied { read } for
>
> pid=7676 comm="sendmail" name="nagios.cmd" dev=dm-0 ino=16652317
> scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:object_r:nagios_log_t:s0 tclass=fifo_file
>
> I don't know what effect the ping denies are having but all of my e-
> mail and page alerts are coming across with no content (I know they
> are from nagios because of the from-address but there is no subject or
>
> body text).
>
> I followed this handy guide:
> http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/
>
> But my problem persists. I've searched around and haven't found much
>
> that is helpful on the SELinux front as far as taking audit data and
>
> correcting your policies to allow things.
>
> Has anyone else either had experience with SELinux and can help me
> correct these problems or is there a set of instructions geared more
>
> toward newer versions of Fedora that would provide the information?
>
> Some system information:
> Fedora 8 2.6.21-2952.fc8xen SMP
> nagios-2.10-5.fc8
> nagios-plugins-*-1.4.8-9.fc8
> checkpolicy-2.0.4-1.fc8
> policycoreutils-2.0.33-3.fc8
> selinux-policy-devel-3.0.8-73.fc8
> selinux-policy-targeted-3.0.8-73.fc8
> selinux-policy-3.0.8-73.fc8
> policycoreutils-gui-2.0.33-3.fc8
>
> Thanks!
It looks like you need to add the following exceptions to your policy.
#============= ping_t ==============
allow ping_t nagios_log_t:fifo_file read;
#============= sendmail_t ==============
allow sendmail_t nagios_log_t:fifo_file read;
The easiest way would be to use audit2allow. Try this.
ausearch -m AVC | audit2allow -M nagios
semodule -i nagios.pp
> --
> ____________________________________
> Mike Neuharth <mjn at umn.edu>
> Server Operations Manager
> phn: 612.625.1957
> cal: http://tinyurl.com/3jc2v
> =====================================
> College of Food, Agricultural, and Natural Resource Sciences
> University of Minnesota
> http://www.cfans.umn.edu/
>
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list