On Jul 7, 2013, at 3:27 AM, Miroslav Grepl wrote: > On 07/07/2013 08:52 AM, Dominick Grift wrote: >> On Sun, 2013-07-07 at 00:56 -0400, Vadym Chepkov wrote: >>> Hi, >>> >>> I just upgraded to Fedora 19 and found out nagios is incompatible with Selinux policy. >>> One could blame nagios maintainers to not comply with SELinux, since they use /var/log/nagios location for work files: >>> >>> # grep /var/log /etc/nagios/nagios.cfg >>> log_file=/var/log/nagios/nagios.log >>> object_cache_file=/var/log/nagios/objects.cache >>> precached_object_file=/var/log/nagios/objects.precache >>> status_file=/var/log/nagios/status.dat >>> temp_file=/var/log/nagios/nagios.tmp >>> log_archive_path=/var/log/nagios/archives >>> check_result_path=/var/log/nagios/spool/checkresults >>> state_retention_file=/var/log/nagios/retention.dat >>> debug_file=/var/log/nagios/nagios.debug >>> >> I would probably file a bugreport to fedora bugzilla for nagios, and ask >> the packager to put the non-log files in more appropriate places >> (/var/lib/nagios or /run/nagios maybe?), i would also cc. the fedora >> selinux-policy maintainer (mgrepl) so that he can add selinux policy to >> support the proper solution if needed. > Yes, please open a new bug for nagios to fix locations. It looks like one was open 5 years ago and was reopened 3 months ago: https://bugzilla.redhat.com/show_bug.cgi?id=469758 I will just add comment it's not compatible with SELinux there. >> >> Type nagios_var_lib_t seems appropriate: >> >> allow nagios_t nagios_var_lib_t : file { ioctl read write create >> getattr setattr lock append unlink link rename open } ; >> allow nagios_t nagios_var_lib_t : dir { ioctl read write getattr lock >> add_name remove_name search open } ; >> allow nagios_t nagios_var_run_t : file { ioctl read write create >> getattr setattr lock append unlink link rename open } ; >> allow nagios_t nagios_var_run_t : dir { ioctl read write getattr lock >> add_name remove_name search open } ; >> allow nagios_t nagios_var_lib_t : fifo_file { ioctl read write create >> getattr setattr lock append unlink link rename open } ; >> >> # semanage fcontext -l | grep nagios_var_lib_t >> /usr/lib/pnp4nagios(/.*)? all files >> system_u:object_r:nagios_var_lib_t:s0 >> >>> but it used to work in Fedora 18 and now doesn't work at all. >>> >>> I tried to relocate some of the files to /var/spool/nagios, but it didn't help, SElinux doesn't allow to modify nagios_spool_t either. >>> audit2allow suggested to allow nagios_t nagios_spool_t:file { rename write getattr read create unlink open }; >>> >>> Is there some other type I overlooked so I can use it properly? >>> >>> Thanks, >>> Vadym >>> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
