dbcooper wrote:
I've setup (via default yum repos) Nagios (nagios-2.11-3.fc9.i386 and
all the needed plugs).
I'm getting the following messages when using SELinux in Target/Enabled
mode.
My knowledge is very limited with SELinux and I'm trying to learn the
proper way to troubleshoot/resolve issues on my own, and hopefully I can use
this as my firts learning curve with it.
Thanks for any suggestions.
---------------------------------------------------------------------------------------------------------------
Summary:
SELinux is preventing ping (ping_t) "read" to
/var/spool/nagios/cmd/nagios.cmd
(nagios_spool_t).
I got that one too (on CentOS 5.1 and Nagios 2.12), but since I couldn't
fathom why ping should be able to read the nagios.cmd file, and ping
seemed to work anyway, I created an SELinux policy module that skipped
writing those messages to the audit log. In other words, I piped the
audit log message through "audit2allow -M nagiosping", which creates two
files, nagiosping.te and nagiosping.pp.
The .te file is the policy module source file, and the .pp file is the
binary package generated by compiling the source file. I edited the
source file and changed the "allow" to "dontaudit", with everything else
kept as it was. Then I compiled the module:
checkmodule -M -m -o nagiosping.mod nagiosping.te
semodule_package -m nagiosping.mod -o nagiosping.pp
rm nagiosping.mod
You need the checkpolicy package for the checkmodule command, and the
policycoreutils package for the semodule and semodule_package commands.
The .mod file is a temporary file, that's why I removed it. Then I
inserted it into the kernel:
semodule -i nagiosping.pp
And tada, no more "ping can't read from nagios.cmd" messages in the
audit log.
Regards
Ingemar
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
