| Summary: | Package pnp4nagios doesn't log, and says permission denied | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Geert Booster <geert> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DEFERRED | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4 | CC: | dwalsh, geert, linux, ondrejj |
| Target Milestone: | rc | ||
| Target Release: | 6.4 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-27 22:58:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Geert Booster
2012-04-05 11:18:09 UTC
By the way: Used CentOS 6.2. Even if I can fix these doble slashes, in Linux double slashes should be ignored. For example try this: touch //tmp///test Will /tmp/test exist? Do you have some other security enhancements like selinux or apparmour? I am aware of the ignores of //, so I was thinking about selinux too after submitting this bug. Tested it with disabled selinux, works indeed. Still, it seems weird to me, that it does create /var/log/pnp4nagios/perfdata.log when using /var/log/pnp4nagios/perfdata.log in LOG_FILE instead of //perfdata.log. So, the feature request is to make pnp4nagios selinux ready? Am I undestand properly, that with selinux disabled this is not a bug? Can you try this build, if it's better? http://koji.fedoraproject.org/koji/buildinfo?buildID=311795 Without selinux, everything is working fine. Shall I try the new build with selinux in enforcing mode? Or are we sure that we need to specify selinux rules to let pnp4nagios work? (In reply to comment #5) > Without selinux, everything is working fine. > Shall I try the new build with selinux in enforcing mode? Yes, sure. This build fixes double slash paths only. > Or are we sure that we need to specify selinux rules to let pnp4nagios work? If this update will not work, we can try to change component of this bug to selinux-policy-targeted. (In reply to comment #6) > (In reply to comment #5) > > Or are we sure that we need to specify selinux rules to let pnp4nagios work? > > If this update will not work, we can try to change component of this bug to > selinux-policy-targeted. Tried the new build, double slashes are indeed fixed, but in selinux enforcing mode, it look likes the system doesn't write any rrd files. Not fully sure, but I can't rebuild my environment to reproduce it on this system, and I don't actually have a virtual dev/test machine with CentOS 6 in my own lab. I will test it again in my lab environment when possible, but I think we can change this bug to a feature request, to fix selinux-policy-targeted rules, or to document this pnp4nagios version doesn't work really well with selinux in enforcing mode. If you consider that this is a selinux-policy bug, please change product to RHEL6 and component to selinux-policy. Can't find selinux-policy in the RHEL6 list, I'm sorry Yes, we need to add a support for pnp4nagios. Could you attach AVC msgs which you are getting? And also # ps -efZ |grep initrc I am sorry, I didn't reproduce the problem in 2013, because we did choose to turn selinux off on this backend machine. I am not sure if pnp4nagios support is implemented yet, but it is a bit difficult for me to reproduce this setup... |