Red Hat Bugzilla – Bug 819958
SELinux is preventing ping from read, write access on the arquivo /usr/local/nagios/var/spool/checkresults/checkzPfPWg.
Last modified: 2012-05-09 01:45:37 EDT
libreport version: 2.0.8 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.4-3.fc16.i686 reason: SELinux is preventing ping from read, write access on the arquivo /usr/local/nagios/var/spool/checkresults/checkzPfPWg. time: Ter 08 Mai 2012 14:50:02 BRT description: :SELinux is preventing ping from read, write access on the arquivo /usr/local/nagios/var/spool/checkresults/checkzPfPWg. : :***** Plugin catchall_labels (83.8 confidence) suggests ******************** : :If você quer permitir que ping tenha acesso read write no checkzPfPWg file :Then you need to change the label on /usr/local/nagios/var/spool/checkresults/checkzPfPWg :Do :# semanage fcontext -a -t FILE_TYPE '/usr/local/nagios/var/spool/checkresults/checkzPfPWg' :where FILE_TYPE is one of the following: puppet_tmp_t, user_cron_spool_t, afs_cache_t, ping_t, nagios_tmp_t. :Then execute: :restorecon -v '/usr/local/nagios/var/spool/checkresults/checkzPfPWg' : : :***** Plugin catchall (17.1 confidence) suggests *************************** : :If you believe that ping should be allowed read write access on the checkzPfPWg file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep ping /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:ping_t:s0 :Target Context system_u:object_r:usr_t:s0 :Target Objects /usr/local/nagios/var/spool/checkresults/checkzPfP : Wg [ file ] :Source ping :Source Path ping :Port <Desconhecido> :Host (removed) :Source RPM Packages :Target RPM Packages :Policy RPM selinux-policy-3.10.0-84.fc16.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.4-3.fc16.i686 #1 SMP Thu May 3 : 15:01:22 UTC 2012 i686 i686 :Alert Count 8 :First Seen Ter 08 Mai 2012 14:33:34 BRT :Last Seen Ter 08 Mai 2012 14:45:24 BRT :Local ID 8598adc4-9c23-4e1b-a069-44b931891e63 : :Raw Audit Messages :type=AVC msg=audit(1336499124.73:117): avc: denied { read write } for pid=32686 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checkzPfPWg" dev="dm-1" ino=273615 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file : : :Hash: ping,ping_t,usr_t,file,read,write : :audit2allow : :#============= ping_t ============== :allow ping_t usr_t:file { read write }; : :audit2allow -R : :#============= ping_t ============== :allow ping_t usr_t:file { read write }; :
The alert tells you that you could fix this by adding a label, nagios_tmp_t looks like a good candidate. This is probably a leaked file descriptor, is ping supposed to write to this file? Why aren't you using the nagios package that ships with Fedora?
Yes, this works with Fedora nagios.