Hi list,
We recently migrated all our servers from CentOS 5 to 6 and in the
process we decided to default to keeping SELinux on, and learning how to
configure it properly :)
So far we've had good success with setting booleans and writing custom
policies, except for one Nagios plugin that checks yum status[1]. On my
boxes, the check_yum plugin is executed under NRPE as a non-privileged
user. This works fine with SELinux in permissive mode.
I've checked the audit log and this message is produced every time the
plugin tries to run:
type=AVC msg=audit(1326802289.462:4127902): avc: denied { read write }
for pid=3278 comm="yum" name="__db.001" dev=sda3 ino=8128221
scontext=unconfined_u:system_r:nagios_services_plugin_t:s0
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1326802289.462:4127902): arch=c000003e syscall=2
success=no exit=-13 a0=1e85440 a1=2 a2=0 a3=16 items=0 ppid=3277
pid=3278 auid=56933 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=87175 comm="yum" exe="/usr/bin/python"
subj=unconfined_u:system_r:nagios_services_plugin_t:s0 key=(null)
Running this through audit2allow produces this output:
#============= nagios_services_plugin_t ==============
#!!!! This avc is allowed in the current policy
allow nagios_services_plugin_t rpm_var_lib_t:file { read write };
It says the AVC is already allowed, but to make sure I packaged it and
loaded the new module. But, the AVC is still blocked and the plugin
can't run.
I've tried running semodule -DB to force dontaudit entries to be logged
to make sure I haven't missed anything that was being blocked silently.
Am I misisng something else, or is something wrong?
Thanks,
Jonathan
[1]
http://exchange.nagios.org/directory/Plugins/Uncategorized/Operating-Systems/Linux/Check_Yum/details
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
