Bug 967774
Summary: | nrpe_t wants to read the var_t:dir | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Attila Fazekas <afazekas> |
Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ami Jeain <ajeain> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 3.0 | CC: | afazekas, lhh, mgrepl, yeylon |
Target Milestone: | rc | ||
Target Release: | 4.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-12-03 21:53:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Attila Fazekas
2013-05-28 10:02:20 UTC
Could you also attach AVC msgs? The current massages from the /var/log/audit/audit.log: type=AVC msg=audit(1376314068.155:52960): avc: denied { read } for pid=7368 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1376314068.155:52960): arch=c000003e syscall=2 success=no exit=-13 a0=7fff09b9df63 a1=100 a2=0 a3=90 items=0 ppid=7367 pid=7368 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null) type=AVC msg=audit(1376314668.183:55575): avc: denied { read } for pid=9324 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1376314668.183:55575): arch=c000003e syscall=2 success=no exit=-13 a0=7fff6820ff63 a1=100 a2=0 a3=90 items=0 ppid=9323 pid=9324 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null) type=AVC msg=audit(1376315268.610:57882): avc: denied { read } for pid=11096 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1376315268.610:57882): arch=c000003e syscall=2 success=no exit=-13 a0=7fff90a21f63 a1=100 a2=0 a3=90 items=0 ppid=11095 pid=11096 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null) type=AVC msg=audit(1376315868.237:60189): avc: denied { read } for pid=12893 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1376315868.237:60189): arch=c000003e syscall=2 success=no exit=-13 a0=7fff49b55f63 a1=100 a2=0 a3=90 items=0 ppid=12892 pid=12893 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null) It is a Default packstack installation + nagios is an enabled service. We allow it in Fedora. #============= nrpe_t ============== #!!!! This avc is allowed in the current policy allow nrpe_t var_t:dir read; And also has been added to RHEL6.5. This was a RHEL 6.5 bug and is resolved in the 6.5 selinux-policy erratum: http://rhn.redhat.com/errata/RHBA-2013-1598.html |