Am Dienstag, den 11.01.2011, 23:40 +0100 schrieb Pavel Kankovsky: > On Wed, 5 Jan 2011, Scott Reese wrote: > > > Since the files aren't where the SELinux policy expects them to be, it > > generates denials and Nagios doesn't work. > > Denials are caused by incorrect contexts. And contexts are not initialized > correctly because files and directories are not at expected places. > > Missing file context rules can be added with "semanage fcontext" and > existing files and directories relabeled with "fixfiles restore". > > Anyway, the easiest solution would probably be to change the package > layout to follow FHS, as expected by the standard policy and its file > context rules.
Yes there are some improvements to be done but the policy shipped in rehel 5 certainly is also incomplete. Its missing /var/run/nagios.* and /var/spool/nagios(/.*)? in the file context. Wich means that a) nagios has to be started as root to create the pid file. Yes I know nagio drops privileges, but it reads the config before dropping privs on startup. If the permissions are wrong on the configs a runtime config reload can cause failures b) checkresultdir has to be under /var/log but it should be under /var/spool. So, what do we do? And btw. newer releases of selinux-policies have that fixed (e.g. in fedora 14). That means another bunch of conditionals in the spec :( > > Yury had previously asked if the SELinux policy could be packaged and > > shipped with the Nagios RPMs. > > This is probably something that should be avoided because the policy > module needs to be installed separately. RPM does no label new objects > correctly if a new policy is installed together with affected packages > (this happened several times during the lifetime of RHEL 5). > Interesting, I am just working on integrating selinux policies ind icinga packages, I will have an eye on that. If what you say is true this should be considered a bug in RPM, after all there is a %policy section.... _______________________________________________ users mailing list users@lists.rpmforge.net http://lists.rpmforge.net/mailman/listinfo/users
