Hide Forgot
Summary: SELinux is preventing /bin/ping access to a leaked /usr/local/nagios/var/spool/checkresults/checka7zXzh file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the ping command. It looks like this is either a leaked descriptor or ping output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /usr/local/nagios/var/spool/checkresults/checka7zXzh. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:ping_t:s0 Target Context unconfined_u:object_r:usr_t:s0 Target Objects /usr/local/nagios/var/spool/checkresults/checka7zX zh [ file ] Source ping Source Path /bin/ping Port <Unknown> Host (removed) Source RPM Packages iputils-20071127-12.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-57.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name (removed) Platform Linux localhost.localdomain 2.6.34.7-56.fc13.i686 #1 SMP Wed Sep 15 03:33:58 UTC 2010 i686 i686 Alert Count 5 First Seen Sat 29 Jan 2011 22:42:03 GMT Last Seen Sat 29 Jan 2011 23:09:31 GMT Local ID e1e74871-78fd-4be5-8ebe-d01f046471ca Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1296342571.335:117): avc: denied { read write } for pid=29340 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checka7zXzh" dev=dm-0 ino=541599 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1296342571.335:117): arch=40000003 syscall=11 success=yes exit=0 a0=8480a00 a1=8480a30 a2=bfc13dd8 a3=8480a1b items=0 ppid=29339 pid=29340 auid=500 uid=502 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="ping" exe="/bin/ping" subj=unconfined_u:system_r:ping_t:s0 key=(null) Hash String generated from leaks,ping,ping_t,usr_t,file,read,write audit2allow suggests: #============= ping_t ============== allow ping_t usr_t:file { read write };
This is a leak file descriptor which we dontaudit in the policy. But you use non-standard location. Did you setup check_result_path=/var/log/nagios/spool/checkresults to /usr/local/nagios/var/spool/checkresults It looks so. So you can fix the location, you can dontaudit it using # grep ping /var/log/audit/audit.log | audit2allow mynagios # semodule -i mynagios.pp or you can execute # semanage fcontext -a -e /var/log/nagios /usr/local/nagios/var/spool/checkresults # restorecon -R -v /usr/local/nagios/var/spool/checkresults Which will label your location as nagios_log_t.