Dirk H. Schulz wrote:
Hi folks,
I have compiled Nagios 3.05 on Fedora9 (all updates current) and now try
to get it running together with SELinux.
I have piped the AVC denials from audit.log to audit2allow and generated
policies which I loaded using "semodule -i POLNAME.pp".
Now I have the weird state that:
- Nagios still cannot check postfix' mailqueue with check_mailq
- Nagios still cannot write emails to the mailqueue
but there is no AVC denials any more in audit.log and Nagios stopped
logging to syslog (although it still works as seen on the web pages).
There is also no SETroubleshoot messages in /var/log/messages any more.
Setting "setenforce 0" makes Nagios run smoothly, so the problem is
still related SELinux somehow, but since nothing shows up in the logs
any more it is quite difficult to troubleshoot.
Logging in general does work, e. g. I can find a "Error code 69 returned
from /usr/bin/mailq" in /var/log/maillog every time Nagios runs the
mailq check. Changing the setenforce value leads to an entry in
audit.log, so even auditd logging partially works.
I have even restarted rsyslog with no effect.
How do I find out why SELinux is not logging completely any more?
And by the way: I also had the phenomenon that auditd claimed lots of
denials of ping while Nagios did not have any difficulty pinging - that
does not look very trustworthy on the part of SELinux, does it?
Any hint or help is appreciated.
The SELinux denials that you're hitting now are probably dontaudit-ed in
pollcy. You can turn off the dontaudit rules using:
# semodule -BD
and turn them back on using:
# semodule -B
Be careful with policy generated from audit logs with dontaudit rules
turned off to ensure that what you're allowing is actually necessary and
not just unrelated noise.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
