Bug 1022729 - nagios fails to start with selinux enforcing
nagios fails to start with selinux enforcing
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2013-10-23 17:03 EDT by Ralph Bean
Modified: 2014-02-17 16:58 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-02-17 16:58:32 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ralph Bean 2013-10-23 17:03:21 EDT
Description of problem:

nagios fails to start when selinux is enforcing

Steps to Reproduce:
1. set selinux enforcing
2. install nagios
3. start nagios

Actual results:

nagios fails to start and the following lines appear in audit.log

type=AVC msg=audit(1382560915.041:76533): avc:  denied  { read } for  pid=22198 comm="nagios" name="checkresults" dev="vda" ino=136157 scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1382560915.041:76533): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fdc36a2e990 a2=90800 a3=0 items=0 ppid=22197 pid=22198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="nagios" exe="/usr/sbin/nagios" subj=system_u:system_r:nagios_t:s0 key=(null)
type=SERVICE_START msg=audit(1382560915.050:76534): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="nagios" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

Expected results:

nagios starts

Additional info:

I tried using audit2allow to create a module to get around this, but it failed to load for some reason.
Comment 1 Ralph Bean 2014-02-13 10:56:25 EST
Reassigning to component selinux-policy-targeted.  I think that's the right place; please correct me if I'm wrong.
Comment 2 Lukas Vrabec 2014-02-17 08:52:00 EST

Could you paste here output of: "$rpm -q selinux-policy"

I have actual selinux-policy packages (selinux-policy-3.12.1-74.18.fc19.noarch) and everything is all right.

#============= nagios_t ==============

#!!!! This avc is allowed in the current policy
allow nagios_t nagios_log_t:dir read;

Could update your selinux-policy package and re-test it? 

Thank you.
Comment 3 Ralph Bean 2014-02-17 16:58:32 EST
Confirmed: it is working now.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.