audit2allow </var/log/audit/audit.log #============= nrpe_t ============== allow nrpe_t var_t:dir read;
Could you also attach AVC msgs?
The current massages from the /var/log/audit/audit.log: type=AVC msg=audit(1376314068.155:52960): avc: denied { read } for pid=7368 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1376314068.155:52960): arch=c000003e syscall=2 success=no exit=-13 a0=7fff09b9df63 a1=100 a2=0 a3=90 items=0 ppid=7367 pid=7368 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null) type=AVC msg=audit(1376314668.183:55575): avc: denied { read } for pid=9324 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1376314668.183:55575): arch=c000003e syscall=2 success=no exit=-13 a0=7fff6820ff63 a1=100 a2=0 a3=90 items=0 ppid=9323 pid=9324 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null) type=AVC msg=audit(1376315268.610:57882): avc: denied { read } for pid=11096 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1376315268.610:57882): arch=c000003e syscall=2 success=no exit=-13 a0=7fff90a21f63 a1=100 a2=0 a3=90 items=0 ppid=11095 pid=11096 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null) type=AVC msg=audit(1376315868.237:60189): avc: denied { read } for pid=12893 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1376315868.237:60189): arch=c000003e syscall=2 success=no exit=-13 a0=7fff49b55f63 a1=100 a2=0 a3=90 items=0 ppid=12892 pid=12893 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null) It is a Default packstack installation + nagios is an enabled service.
We allow it in Fedora. #============= nrpe_t ============== #!!!! This avc is allowed in the current policy allow nrpe_t var_t:dir read;
And also has been added to RHEL6.5.
This was a RHEL 6.5 bug and is resolved in the 6.5 selinux-policy erratum: http://rhn.redhat.com/errata/RHBA-2013-1598.html