Bug 595835

Summary:	selinux breaks nagios
Product:	[Fedora] Fedora	Reporter:	Vadym Chepkov <vchepkov>
Component:	selinux-policy-targeted	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Ben Levenson <benl>
Severity:	medium	Docs Contact:
Priority:	low
Version:	13	CC:	domg444, dominick.grift, dwalsh
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.7.19-28.fc13	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-06-08 19:28:14 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Vadym Chepkov 2010-05-25 18:20:16 UTC

selinux-policy-targeted-3.7.19-15.fc13.noarch

The following AVC observed

type=AVC msg=audit(1274807269.739:39): avc:  denied  { getattr } for  pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
type=AVC msg=audit(1274807269.739:40): avc:  denied  { open } for  pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nag
ios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1274807269.739:40): avc:  denied  { read } for  pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
type=AVC msg=audit(1274807269.740:41): avc:  denied  { ioctl } for  pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----

audit2allow suggests adding

files_read_usr_files(nagios_t)
which seems to be reasonable.


Another AVC

type=AVC msg=audit(1274807288.135:43): avc:  denied  { read write } for  pid=1648 comm="ping" path="/var/log/nagios/spool/checkresults/checkhvg3ZF" dev=dm-2 in=3824 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:nagios_log_t:s0 tclass=file

Dominick Grift suggested:
"
There is a domain transition for nagios_t to ping_t which probably should be removed:

netutils_domtrans_ping(nagios_t)

.. and be replaced by:

netutils_exec(nagios_t)

"

Comment 1 Dominick Grift 2010-05-25 18:46:27 UTC

netutils_exec_ping(nagios_t) i guess yes.

Comment 2 Dominick Grift 2010-05-25 18:51:56 UTC

Actually looks like leaked file descriptor or maybe nagios is redirecting ping stdout to the log file.

Comment 3 Miroslav Grepl 2010-05-27 06:38:34 UTC

Dan,
I have sent you a patch.

Comment 4 Daniel Walsh 2010-05-27 19:01:35 UTC

Fixed in selinux-policy-3.7.19-22.fc13.noarch

Comment 5 Fedora Update System 2010-05-28 12:28:03 UTC

selinux-policy-3.7.19-22.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13

Comment 6 Fedora Update System 2010-05-31 18:20:05 UTC

selinux-policy-3.7.19-22.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13

Comment 7 Vadym Chepkov 2010-06-02 08:05:03 UTC

I got an error during install:

  Updating       : selinux-policy-targeted-3.7.19-22.fc13.noarch            4/8 
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!

Comment 8 Miroslav Grepl 2010-06-02 08:54:10 UTC

Fixed in selinux-policy-3.7.19-23.fc13.noarch.

Vadym, 
you can pull this build out of koji for now.

Comment 9 Vadym Chepkov 2010-06-02 11:47:48 UTC

Installed selinux-policy-3.7.19-23.fc13.noarch, no issues so far.
Thank you.

Comment 10 Fedora Update System 2010-06-02 18:12:10 UTC

selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-23.fc13

Comment 11 Vadym Chepkov 2010-06-02 19:42:44 UTC

One more AVC :

type=AVC msg=audit(1275505666.071:43): avc:  denied  { sigkill } for  pid=6524 comm="nagios" scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:system_r:ping_t:s0 tclass=process

Comment 12 Miroslav Grepl 2010-06-03 12:21:08 UTC

Fixed in selinux-policy-3.7.19-24.fc13

Comment 13 Fedora Update System 2010-06-08 19:26:33 UTC

selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2010-06-14 19:29:44 UTC

selinux-policy-3.7.19-28.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-28.fc13

Comment 15 Fedora Update System 2010-06-23 17:46:35 UTC

selinux-policy-3.7.19-28.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.