Summary: SELinux is preventing /usr/sbin/nagios (deleted) "read" access on mdstat. Detailed Description: SELinux denied access requested by nagios. It is not expected that this access is required by nagios and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:nagios_t:s0 Target Context system_u:object_r:proc_mdstat_t:s0 Target Objects mdstat [ file ] Source nagios Source Path /usr/sbin/nagios (deleted) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.7.19-73.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.34.7-61.fc13.x86_64 #1 SMP Tue Oct 19 04:06:30 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 02 Dec 2010 19:38:16 GMT Last Seen Thu 02 Dec 2010 19:38:16 GMT Local ID 380fc12c-3e2a-4b3a-bc5a-9efc335e86b8 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1291318696.105:89716): avc: denied { read } for pid=16351 comm="nagios" name="mdstat" dev=proc ino=4026531929 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1291318696.105:89716): arch=c000003e syscall=2 success=no exit=-13 a0=126db10 a1=0 a2=1b6 a3=7f67ce6ddd40 items=0 ppid=16350 pid=16351 auid=500 uid=483 gid=467 euid=483 suid=483 fsuid=483 egid=467 sgid=467 fsgid=467 tty=(none) ses=1 comm="nagios" exe=2F7573722F7362696E2F6E6167696F73202864656C6574656429 subj=unconfined_u:system_r:nagios_t:s0 key=(null) Hash String generated from catchall,nagios,nagios_t,proc_mdstat_t,file,read audit2allow suggests: #============= nagios_t ============== allow nagios_t proc_mdstat_t:file read;
See also bug 659442.
Fixed in selinux-policy-3.7.19-75.fc13
selinux-policy-3.7.19-76.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-76.fc13
Just updated to selinux-policy-3.7.19-76.fc13 but still not allowing access: Summary: SELinux is preventing /usr/sbin/nagios "read" access on mdstat. Detailed Description: SELinux denied access requested by nagios. It is not expected that this access is required by nagios and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:nagios_t:s0 Target Context system_u:object_r:proc_mdstat_t:s0 Target Objects mdstat [ file ] Source nagios Source Path /usr/sbin/nagios (deleted) Port <Unknown> Host gigalith.gloomytrousers.co.uk Source RPM Packages nagios-3.2.3-7.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-76.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gigalith.gloomytrousers.co.uk Platform Linux gigalith.gloomytrousers.co.uk 2.6.34.7-61.fc13.x86_64 #1 SMP Tue Oct 19 04:06:30 UTC 2010 x86_64 x86_64 Alert Count 1127 First Seen Thu 02 Dec 2010 19:38:16 GMT Last Seen Fri 10 Dec 2010 14:43:56 GMT Local ID 380fc12c-3e2a-4b3a-bc5a-9efc335e86b8 Line Numbers Raw Audit Messages node=gigalith.gloomytrousers.co.uk type=AVC msg=audit(1291992236.697:106566): avc: denied { read } for pid=3764 comm="nagios" name="mdstat" dev=proc ino=4026531929 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file node=gigalith.gloomytrousers.co.uk type=SYSCALL msg=audit(1291992236.697:106566): arch=c000003e syscall=2 success=no exit=-13 a0=1d07560 a1=0 a2=1b6 a3=7fcf6080cd40 items=0 ppid=3763 pid=3764 auid=500 uid=483 gid=467 euid=483 suid=483 fsuid=483 egid=467 sgid=467 fsgid=467 tty=(none) ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:nagios_t:s0 key=(null)
selinux-policy-3.7.19-76.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-76.fc13
selinux-policy-3.7.19-76.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
Re-opening as per comment 4.
Fixed in selinux-policy-3.7.19-77.fc13
selinux-policy-3.7.19-77.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-77.fc13
Got some errors when installing: [root@gigalith ~]# rpm -Fvh http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.7.19/77.fc13/noarch/selinux-policy-targeted-3.7.19-77.fc13.noarch.rpm http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.7.19/77.fc13/noarch/selinux-policy-3.7.19-77.fc13.noarch.rpm Retrieving http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.7.19/77.fc13/noarch/selinux-policy-targeted-3.7.19-77.fc13.noarch.rpm Retrieving http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.7.19/77.fc13/noarch/selinux-policy-3.7.19-77.fc13.noarch.rpm Preparing... ########################################### [100%] 1:selinux-policy ########################################### [ 50%] 2:selinux-policy-targeted########################################### [100%] libsepol.context_from_record: type system_munin_plugin_exec_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:system_munin_plugin_exec_t:s0 to sid invalid context system_u:object_r:system_munin_plugin_exec_t:s0 libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! Can't stat exclude path "/var/lib/BackupPC", No such file or directory - ignoring. And I'm still getting the denial: Summary: SELinux is preventing /usr/sbin/nagios "read" access on mdstat. Detailed Description: SELinux denied access requested by nagios. It is not expected that this access is required by nagios and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:nagios_t:s0 Target Context system_u:object_r:proc_mdstat_t:s0 Target Objects mdstat [ file ] Source nagios Source Path /usr/sbin/nagios Port <Unknown> Host gigalith.gloomytrousers.co.uk Source RPM Packages nagios-3.2.3-7.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-77.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name gigalith.gloomytrousers.co.uk Platform Linux gigalith.gloomytrousers.co.uk 2.6.34.7-61.fc13.x86_64 #1 SMP Tue Oct 19 04:06:30 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Tue 21 Dec 2010 15:40:27 GMT Last Seen Tue 21 Dec 2010 16:10:27 GMT Local ID 44686df4-bc7c-4ac9-85d7-e0026a6b8c47 Line Numbers Raw Audit Messages node=gigalith.gloomytrousers.co.uk type=AVC msg=audit(1292947827.47:130316): avc: denied { read } for pid=9149 comm="nagios" name="mdstat" dev=proc ino=4026531929 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file node=gigalith.gloomytrousers.co.uk type=SYSCALL msg=audit(1292947827.47:130316): arch=c000003e syscall=2 success=no exit=-13 a0=21b28d0 a1=0 a2=1b6 a3=7fc0e7748d40 items=0 ppid=9148 pid=9149 auid=500 uid=483 gid=467 euid=483 suid=483 fsuid=483 egid=467 sgid=467 fsgid=467 tty=(none) ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:nagios_t:s0 key=(null)
selinux-policy-3.7.19-77.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-77.fc13
The label for munin is fixed in selinux-policy-3.7.19-78.fc13. You can download and install the latest selinux-policy and selinux-policy-targeted packages from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=211200
selinux-policy-3.7.19-80.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-80.fc13
selinux-policy-3.7.19-80.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.