Nagios seems to have some problems trying to kill off one of its checks when it either can't reach the other host or the process starts timing out. When it tries to kill its checking plugin, it gets denied: This is using selinux-policy-3.6.32-82.fc12 node=chicago.messinet.com type=AVC msg=audit(1265474065.53:42575): avc: denied { sigkill } for pid=30592 comm="nagios" scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:system_r:nagios_services_plugin_t:s0 tclass=process node=chicago.messinet.com type=SYSCALL msg=audit(1265474065.53:42575): arch=c000003e syscall=62 success=yes exit=132 a0=0 a1=9 a2=1916fa0 a3=7fff4c7a3a30 items=0 ppid=1 pid=30592 auid=4294967295 uid=488 gid=482 euid=488 suid=488 fsuid=488 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="nagios" exe="/usr/sbin/nagios" subj=system_u:system_r:nagios_t:s0 key=(null)
Miroslav add allow nagios_t nagios_$1_plugin_t:process signal_perms;
Fixed in selinux-policy-3.6.32-86.fc12
Using selinux-policy-targeted-3.6.32-89.fc12.noarch, I get the following errors (the example here is for the "check_disk" plugin, but the same error occurs regardless of the plugin -- other plugins generate similar errors). # check_disk node=chicago.messinet.com type=AVC msg=audit(1266520448.211:11996): avc: denied { read write } for pid=23313 comm="check_disk" path="/var/log/nagios/spool/checkresults/checkRZ5OF9" dev=sdd3 ino=4736020 scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file node=chicago.messinet.com type=SYSCALL msg=audit(1266520448.211:11996): arch=c000003e syscall=59 success=yes exit=0 a0=1bb1d70 a1=1bb1dd0 a2=1bae1c0 a3=40 items=0 ppid=23312 pid=23313 auid=4294967295 uid=488 gid=482 euid=488 suid=488 fsuid=488 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="check_disk" exe="/usr/lib64/nagios/plugins/check_disk" subj=system_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null) # check_load node=chicago.messinet.com type=AVC msg=audit(1266520443.161:11995): avc: denied { read write } for pid=23305 comm="check_load" path="/var/log/nagios/spool/checkresults/checkAKKOKh" dev=sdd3 ino=4736025 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file node=chicago.messinet.com type=SYSCALL msg=audit(1266520443.161:11995): arch=c000003e syscall=59 success=yes exit=0 a0=d7ad20 a1=d77ab0 a2=d77260 a3=30 items=0 ppid=23304 pid=23305 auid=4294967295 uid=488 gid=482 euid=488 suid=488 fsuid=488 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="check_load" exe="/usr/lib64/nagios/plugins/check_load" subj=system_u:system_r:nagios_system_plugin_t:s0 key=(null) # check_nrpe node=chicago.messinet.com type=AVC msg=audit(1266520454.231:11997): avc: denied { read write } for pid=23330 comm="check_nrpe" path="/var/log/nagios/spool/checkresults/checksLqF31" dev=sdd3 ino=4736025 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file node=chicago.messinet.com type=SYSCALL msg=audit(1266520454.231:11997): arch=c000003e syscall=59 success=yes exit=0 a0=909d70 a1=906ad0 a2=906280 a3=30 items=0 ppid=23329 pid=23330 auid=4294967295 uid=488 gid=482 euid=488 suid=488 fsuid=488 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="check_nrpe" exe="/usr/lib64/nagios/plugins/check_nrpe" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)
selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.