On Fri, 2 Oct 2009, Andreas Bock wrote:
> After some research I found what follows in /var/log/audit/audit.log:
>
> type=AVC msg=audit(1254468284.696:233): avc: denied { read } for
> pid=7291 comm="nagios" name="checkresults" dev=sda2 ino=486245
> scontext=root:system_r:nagios_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=dir
>
> SELinux denies nagios excess to /var/nagios/spool/checkresults.
> But in /var/selinux/targeted/nagios.te one can read:
>
> module nagios 1.0;
1.0? Where have you got that .te file from?
selinux-policy-* in EL5 includes 1.1.0 (and grants getattr and search
but not read on var_t to nagios_t).
> Next I tried to grand excess to /var/nagios with:
>
> # chcon -R -r system_r -t nagios_t nagios
> chcon: failed to change context of nagios to
> system_u:system_r:nagios_t: Permission denied
nagios_t is a domain (i.e. a process type). You cannot use it for
filesystem objects.
Try nagios_spool_t or nagios_tmp_t. (Do not forget to add a permanent
labeling rule with semanage fcontext -a if it works.)
You can looking at the current version of refpolicy.
Or (assuming you use the targeted policy) you can reset the type of Nagios
binary to sbin_t in order to prevent transition to nagios_t and let it run
under unconfined_t.
On Fri, 2 Oct 2009, Christoph Maser wrote:
> The biggest problem here is that CentoOS ships with nagios
> selinux-defintions though it does not ship nagios, so i am not able to
> make my own nagios-selinux-module.
You can use semodule to get rid of the standard "nagios" module
and replace it with you own.
--
Pavel Kankovsky aka Peak / Jeremiah 9:21 \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /
_______________________________________________
users mailing list
[email protected]
http://lists.rpmforge.net/mailman/listinfo/users
