Bug 710881

Summary: Need a new context for nagios work files
Product: [Fedora] Fedora Reporter: Vadym Chepkov <vchepkov>
Component: nagiosAssignee: Keiran Smith <affix>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, jose.p.oliveira.oss, lemenkov, linux, ondrejj
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-07 19:51:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Vadym Chepkov 2011-06-05 13:39:30 UTC 
There is a series of nagios plugins which have to record previous call's status in a file.
For example, check_snmp_uptime. It would record the previous uptime of a monitored server into a bdb file and will generate an ERROR state if during a next call uptime was lower then previous.
Unfortunately, there is no suitable context for files like that. even nagios_system_plugin_tmp_t doesn't fit the bill.

# ausearch -m avc -ts today
----
time->Thu May 26 07:13:23 2011
type=SYSCALL msg=audit(1306408403.157:422): arch=40000003 syscall=5 success=yes exit=3 a0=90368a8 a1=80c2 a2=1b6 a3=9026770 items=0 ppid=27717 pid=27718 auid=4294967295 uid=498 gid=493 euid=498 suid=498 fsuid=498 egid=493 sgid=493 fsgid=493 tty=(none) ses=4294967295 comm="check_snmp_upti" exe="/usr/bin/perl" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)
type=AVC msg=audit(1306408403.157:422): avc:  denied  { read write open } for  pid=27718 comm="check_snmp_upti" name="__db.t100" dev=dm-2 ino=379 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_system_plugin_tmp_t:s0 tclass=file
type=AVC msg=audit(1306408403.157:422): avc:  denied  { create } for  pid=27718 comm="check_snmp_upti" name="__db.t100" scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_system_plugin_tmp_t:s0 tclass=file
type=AVC msg=audit(1306408403.157:422): avc:  denied  { add_name } for  pid=27718 comm="check_snmp_upti" name="__db.t100" scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_system_plugin_tmp_t:s0 tclass=dir
type=AVC msg=audit(1306408403.157:422): avc:  denied  { write } for  pid=27718 comm="check_snmp_upti" name="uptime" dev=dm-2 ino=208 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_system_plugin_tmp_t:s0 tclass=dir
----
time->Thu May 26 07:13:23 2011
type=SYSCALL msg=audit(1306408403.158:423): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfdab0b0 a2=541ff4 a3=64 items=0 ppid=27717 pid=27718 auid=4294967295 uid=498 gid=493 euid=498 suid=498 fsuid=498 egid=493 sgid=493 fsgid=493 tty=(none) ses=4294967295 comm="check_snmp_upti" exe="/usr/bin/perl" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)
type=AVC msg=audit(1306408403.158:423): avc:  denied  { getattr } for  pid=27718 comm="check_snmp_upti" path="/var/spool/nagios/uptime/__db.t100" dev=dm-2 ino=379 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_system_plugin_tmp_t:s0 tclass=file
----
time->Thu May 26 07:13:23 2011
type=SYSCALL msg=audit(1306408403.168:424): arch=40000003 syscall=38 success=yes exit=0 a0=93ecf70 a1=90368a8 a2=91b048 a3=64 items=0 ppid=27717 pid=27718 auid=4294967295 uid=498 gid=493 euid=498 suid=498 fsuid=498 egid=493 sgid=493 fsgid=493 tty=(none) ses=4294967295 comm="check_snmp_upti" exe="/usr/bin/perl" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)
type=AVC msg=audit(1306408403.168:424): avc:  denied  { rename } for  pid=27718 comm="check_snmp_upti" name="__db.t100" dev=dm-2 ino=379 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_system_plugin_tmp_t:s0 tclass=file
type=AVC msg=audit(1306408403.168:424): avc:  denied  { remove_name } for  pid=27718 comm="check_snmp_upti" name="__db.t100" dev=dm-2 ino=379 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_system_plugin_tmp_t:s0 tclass=dir

----
time->Thu May 26 07:31:48 2011
type=SYSCALL msg=audit(1306409508.204:434): arch=40000003 syscall=195 success=yes exit=0 a0=8cb7c68 a1=bfdf8030 a2=423ff4 a3=64 items=0 ppid=28479 pid=28480 auid=4294967295 uid=498 gid=493 euid=498 suid=498 fsuid=498 egid=493 sgid=493 fsgid=493 tty=(none) ses=4294967295 comm="check_snmp_upti" exe="/usr/bin/perl" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)
type=AVC msg=audit(1306409508.204:434): avc:  denied  { getattr } for  pid=28480 comm="check_snmp_upti" path="/var/spool/nagios/uptime/t100" dev=dm-2 ino=379 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_system_plugin_tmp_t:s0 tclass=file
----
time->Thu May 26 07:31:48 2011
type=SYSCALL msg=audit(1306409508.205:435): arch=40000003 syscall=5 success=yes exit=3 a0=8cb7c68 a1=8002 a2=0 a3=88f5770 items=0 ppid=28479 pid=28480 auid=4294967295 uid=498 gid=493 euid=498 suid=498 fsuid=498 egid=493 sgid=493 fsgid=493 tty=(none) ses=4294967295 comm="check_snmp_upti" exe="/usr/bin/perl" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)
type=AVC msg=audit(1306409508.205:435): avc:  denied  { open } for  pid=28480 comm="check_snmp_upti" name="t100" dev=dm-2 ino=379 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_system_plugin_tmp_t:s0 tclass=file
type=AVC msg=audit(1306409508.205:435): avc:  denied  { read write } for  pid=28480 comm="check_snmp_upti" name="t100" dev=dm-2 ino=379 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_system_plugin_tmp_t:s0 tclass=file
Comment 1 Miroslav Grepl 2011-06-06 08:39:27 UTC 
Ok, so you did not add the "nagios_system_plugin_tmp_t" label for a directory and this happens by default, right?
Comment 2 Vadym Chepkov 2011-06-06 15:47:45 UTC 
No, I created directory /var/spool/nagios/uptime and applied nagios_system_plugin_tmp_t to it, since nagios_spool_t didn't any permissions required.


[root@fedora ~]# sesearch --allow --source nagios_services_plugin_t --target nagios_spool_t
Comment 3 Miroslav Grepl 2011-06-07 11:32:48 UTC 
I don't understand why you needed to create the "uptime" directory in the /var/spool/nagios directory? 

Shouldn't be this done by a plugin and then you should get different AVC msgs.
Comment 4 Vadym Chepkov 2011-06-08 12:25:59 UTC 
Plugin doesn't create any directories, it expects a path, where to create a datafile.
From selinux policy point of view it would be logical to have a separate directory for all these files.
typical nagios plugins don't need any temporary files, this one is somewhat unique and it doesn't come with "standard" plugins, I installed it myself.

nagios comes with /var/log/nagios and /var/spool/nagios, I thought it would be reasonable to use the latter

I obviously can create my own type and labels, but I thought someone will also benefit from it, that's why I asked question on the maillist first, but was told to create a bug report.
Comment 5 Miroslav Grepl 2011-06-08 13:17:29 UTC 
I can add a new type but the problem is a user will need to run chcon because a directory will not be in rpm payload.

But maybe plugins could have an access to nagios_spool_t type.
Comment 6 Vadym Chepkov 2011-06-08 22:30:25 UTC 
I think /var/spool/nagios/cmd is used to be able to send commands from apache to nagios, probably there is a reason why plugins don't have access to it.
Comment 7 Miroslav Grepl 2011-10-07 14:25:52 UTC 
Is the comment #4 right from the nagios point of view?
Comment 8 Fedora Admin XMLRPC Client 2012-03-18 21:49:50 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Fedora End Of Life 2012-08-07 19:51:03 UTC 
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping