selinux-policy-targeted-3.7.19-15.fc13.noarch The following AVC observed type=AVC msg=audit(1274807269.739:39): avc: denied { getattr } for pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file---- type=AVC msg=audit(1274807269.739:40): avc: denied { open } for pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nag ios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1274807269.739:40): avc: denied { read } for pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file---- type=AVC msg=audit(1274807269.740:41): avc: denied { ioctl } for pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file---- audit2allow suggests adding files_read_usr_files(nagios_t) which seems to be reasonable. Another AVC type=AVC msg=audit(1274807288.135:43): avc: denied { read write } for pid=1648 comm="ping" path="/var/log/nagios/spool/checkresults/checkhvg3ZF" dev=dm-2 in=3824 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:nagios_log_t:s0 tclass=file Dominick Grift suggested: " There is a domain transition for nagios_t to ping_t which probably should be removed: netutils_domtrans_ping(nagios_t) .. and be replaced by: netutils_exec(nagios_t) "
netutils_exec_ping(nagios_t) i guess yes.
Actually looks like leaked file descriptor or maybe nagios is redirecting ping stdout to the log file.
Dan, I have sent you a patch.
Fixed in selinux-policy-3.7.19-22.fc13.noarch
selinux-policy-3.7.19-22.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13
selinux-policy-3.7.19-22.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13
I got an error during install: Updating : selinux-policy-targeted-3.7.19-22.fc13.noarch 4/8 libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed!
Fixed in selinux-policy-3.7.19-23.fc13.noarch. Vadym, you can pull this build out of koji for now.
Installed selinux-policy-3.7.19-23.fc13.noarch, no issues so far. Thank you.
selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-23.fc13
One more AVC : type=AVC msg=audit(1275505666.071:43): avc: denied { sigkill } for pid=6524 comm="nagios" scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:system_r:ping_t:s0 tclass=process
Fixed in selinux-policy-3.7.19-24.fc13
selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.7.19-28.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-28.fc13
selinux-policy-3.7.19-28.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.