Bug 431841
Summary: | nagios avc denials | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jaroslav Franek <jarin.franek> | ||||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 8 | ||||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Current | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2008-02-21 18:18:16 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Jaroslav Franek
2008-02-07 09:38:29 UTC
Created attachment 295321 [details]
nagios policy file contexts vs actual security context
Created attachment 295322 [details]
SELinux reports on denials
Adding the state after (almost) fresh nagios install (please see the attachment nagios_info.f8.txt) # cat /etc/selinux/targeted/contexts/files/file_contexts | grep nagios # rpm -qa | grep sel # rpm -qa | grep nagios # rpm -ql nagios | xargs ls -alZ There are few strange points: 1) The file context /usr/bin/nagios -- system_u:object_r:nagios_exec_t:s0 does not refer to a valid file as nagios is installed in /usr/sbin/nagios. 2) There is however /usr/bin/nagiostats for which there is no nagios-specific labeling defined, I am not sure whether it is needed or not. 3) I am not sure whether /usr/sbin/p1.pl deserves nagios security context or not. 4) Despite having the rule /usr/lib(64)?/cgi-bin/nagios(/.+)? system_u:object_r:httpd_nagios_script_exec_t:s0 the all cgi scripts and the cgi-bin directory itself have the security context system_u:object_r:lib_t:s0 which actually triggers the AVC denials. Please see the attachment nagios_avc_denials.fc8.tar.gz (please note that the policy has been upgraded to the latest since the time the denials were detected, therefore nagios_info.f8.txt refers to the newer policy). Note that the issue was duplicated on the latest Fedora 7 (i686) with exactly the same symptoms. Oh, sorry for spamming, I just noticed the reason why 4) in comment #3 does not work. It is not cgi-bin/nagios but nagios/cgi-bin, the same as with the original Bug #266341 I thought already fixed. So pointing to /usr/lib(64)?/cgi-bin/nagios(/.+)? in my previous comment is wrong. We need a new rule created for /usr/lib(64)?/nagios/cgi-bin Fixed in selinux-policy-3.0.8-87.fc8 Tested selinux-policy-3.0.8-87.fc8 and a fresh install of nagios. The fix works fine for me. Thanks. |