On 01/17/2012 03:00 PM, Jonathan Gazeley wrote:
Hi list,
We recently migrated all our servers from CentOS 5 to 6 and in the
process we decided to default to keeping SELinux on, and learning how
to configure it properly :)
So far we've had good success with setting booleans and writing custom
policies, except for one Nagios plugin that checks yum status[1]. On
my boxes, the check_yum plugin is executed under NRPE as a
non-privileged user. This works fine with SELinux in permissive mode.
I've checked the audit log and this message is produced every time the
plugin tries to run:
type=AVC msg=audit(1326802289.462:4127902): avc: denied { read write
} for pid=3278 comm="yum" name="__db.001" dev=sda3 ino=8128221
scontext=unconfined_u:system_r:nagios_services_plugin_t:s0
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1326802289.462:4127902): arch=c000003e
syscall=2 success=no exit=-13 a0=1e85440 a1=2 a2=0 a3=16 items=0
ppid=3277 pid=3278 auid=56933 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=87175 comm="yum" exe="/usr/bin/python"
subj=unconfined_u:system_r:nagios_services_plugin_t:s0 key=(null)
Running this through audit2allow produces this output:
#============= nagios_services_plugin_t ==============
#!!!! This avc is allowed in the current policy
allow nagios_services_plugin_t rpm_var_lib_t:file { read write };
It says the AVC is already allowed, but to make sure I packaged it and
loaded the new module. But, the AVC is still blocked and the plugin
can't run.
I've tried running semodule -DB to force dontaudit entries to be
logged to make sure I haven't missed anything that was being blocked
silently.
Am I misisng something else, or is something wrong?
Thanks,
Jonathan
[1]
http://exchange.nagios.org/directory/Plugins/Uncategorized/Operating-Systems/Linux/Check_Yum/details
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
I guess it works in permissive mode, right?
Could you try these steps
# semodule -d your_local_policy
# semanage permissive -a nagios_services_plugin_t
# setenforce 1
# semodule -DB
and try if this works. If so, could you send me your compressed
/var/log/audit/audit.log?
Regards,
Miroslav
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
