Bloody selinux on Fedora 8

Ian Lists ian-list at securitypimp.com
Fri Jan 18 15:06:47 CET 2008


----- "mjn" <mjn at umn.edu> wrote:

> Nagios folks-
> 
> Has anyone resolved all of the selinux issues when installing nagios 
> 
> on Fedora 8?
> 
> Specifically, I am getting these:
> 
> type=AVC msg=audit(1200663995.088:64): avc:  denied  { read } for   
> pid=3488 comm="ping" name="nagios.cmd" dev=dm-0 ino=16652317  
> scontext=system_u:system_r:ping_t:s0  
> tcontext=system_u:object_r:nagios_log_t:s0 tclass=fifo_file
> 
> type=AVC msg=audit(1200657768.283:14207): avc:  denied  { read } for  
> 
> pid=7676 comm="sendmail" name="nagios.cmd" dev=dm-0 ino=16652317  
> scontext=system_u:system_r:sendmail_t:s0  
> tcontext=system_u:object_r:nagios_log_t:s0 tclass=fifo_file
> 
> I don't know what effect the ping denies are having but all of my e- 
> mail and page alerts are coming across with no content (I know they  
> are from nagios because of the from-address but there is no subject or
>  
> body text).
> 
> I followed this handy guide:
> http://www.rickwargo.com/2006/10/29/fc6-selinux-and-nagios/
> 
> But my problem persists. I've searched around and haven't found much 
> 
> that is helpful on the SELinux front as far as taking audit data and 
> 
> correcting your policies to allow things.
> 
> Has anyone else either had experience with SELinux and can help me  
> correct these problems or is there a set of instructions geared more 
> 
> toward newer versions of Fedora that would provide the information?
> 
> Some system information:
> Fedora 8 2.6.21-2952.fc8xen SMP
> nagios-2.10-5.fc8
> nagios-plugins-*-1.4.8-9.fc8
> checkpolicy-2.0.4-1.fc8
> policycoreutils-2.0.33-3.fc8
> selinux-policy-devel-3.0.8-73.fc8
> selinux-policy-targeted-3.0.8-73.fc8
> selinux-policy-3.0.8-73.fc8
> policycoreutils-gui-2.0.33-3.fc8
> 
> Thanks!

It looks like you need to add the following exceptions to your policy.

#============= ping_t ==============
allow ping_t nagios_log_t:fifo_file read;

#============= sendmail_t ==============
allow sendmail_t nagios_log_t:fifo_file read;

The easiest way would be to use audit2allow.  Try this.

ausearch -m AVC | audit2allow  -M nagios
semodule -i nagios.pp

 
> -- 
> ____________________________________
> Mike Neuharth <mjn at umn.edu>
> Server Operations Manager
> phn: 612.625.1957
> cal: http://tinyurl.com/3jc2v
> =====================================
> College of Food, Agricultural, and Natural Resource Sciences
> University of Minnesota
> http://www.cfans.umn.edu/
> 
> 
> 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue. 
> ::: Messages without supporting info will risk being sent to /dev/null

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list