Bug 595835 - selinux breaks nagios
Summary: selinux breaks nagios
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 13
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-25 18:20 UTC by Vadym Chepkov
Modified: 2010-06-23 17:48 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-28.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-08 19:28:14 UTC


Attachments (Terms of Use)

Description Vadym Chepkov 2010-05-25 18:20:16 UTC
selinux-policy-targeted-3.7.19-15.fc13.noarch

The following AVC observed

type=AVC msg=audit(1274807269.739:39): avc:  denied  { getattr } for  pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
type=AVC msg=audit(1274807269.739:40): avc:  denied  { open } for  pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nag
ios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1274807269.739:40): avc:  denied  { read } for  pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
type=AVC msg=audit(1274807269.740:41): avc:  denied  { ioctl } for  pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----

audit2allow suggests adding

files_read_usr_files(nagios_t)
which seems to be reasonable.


Another AVC

type=AVC msg=audit(1274807288.135:43): avc:  denied  { read write } for  pid=1648 comm="ping" path="/var/log/nagios/spool/checkresults/checkhvg3ZF" dev=dm-2 in=3824 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:nagios_log_t:s0 tclass=file

Dominick Grift suggested:
"
There is a domain transition for nagios_t to ping_t which probably should be removed:

netutils_domtrans_ping(nagios_t)

.. and be replaced by:

netutils_exec(nagios_t)

"

Comment 1 Dominick Grift 2010-05-25 18:46:27 UTC
netutils_exec_ping(nagios_t) i guess yes.

Comment 2 Dominick Grift 2010-05-25 18:51:56 UTC
Actually looks like leaked file descriptor or maybe nagios is redirecting ping stdout to the log file.

Comment 3 Miroslav Grepl 2010-05-27 06:38:34 UTC
Dan,
I have sent you a patch.

Comment 4 Daniel Walsh 2010-05-27 19:01:35 UTC
Fixed in selinux-policy-3.7.19-22.fc13.noarch

Comment 5 Fedora Update System 2010-05-28 12:28:03 UTC
selinux-policy-3.7.19-22.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13

Comment 6 Fedora Update System 2010-05-31 18:20:05 UTC
selinux-policy-3.7.19-22.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13

Comment 7 Vadym Chepkov 2010-06-02 08:05:03 UTC
I got an error during install:

  Updating       : selinux-policy-targeted-3.7.19-22.fc13.noarch            4/8 
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!

Comment 8 Miroslav Grepl 2010-06-02 08:54:10 UTC
Fixed in selinux-policy-3.7.19-23.fc13.noarch.

Vadym, 
you can pull this build out of koji for now.

Comment 9 Vadym Chepkov 2010-06-02 11:47:48 UTC
Installed selinux-policy-3.7.19-23.fc13.noarch, no issues so far.
Thank you.

Comment 10 Fedora Update System 2010-06-02 18:12:10 UTC
selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-23.fc13

Comment 11 Vadym Chepkov 2010-06-02 19:42:44 UTC
One more AVC :

type=AVC msg=audit(1275505666.071:43): avc:  denied  { sigkill } for  pid=6524 comm="nagios" scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:system_r:ping_t:s0 tclass=process

Comment 12 Miroslav Grepl 2010-06-03 12:21:08 UTC
Fixed in selinux-policy-3.7.19-24.fc13

Comment 13 Fedora Update System 2010-06-08 19:26:33 UTC
selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2010-06-14 19:29:44 UTC
selinux-policy-3.7.19-28.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-28.fc13

Comment 15 Fedora Update System 2010-06-23 17:46:35 UTC
selinux-policy-3.7.19-28.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.