SELinux and Nagios (Fedora 9 + Nagios)

Daniel J Walsh dwalsh at redhat.com
Wed Aug 20 10:52:57 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dbcooper wrote:
> Hello,
> 
> I've setup (via default yum repos) Nagios (nagios-2.11-3.fc9.i386 and all
> the needed plugs).
> 
> I'm getting the following messages when using SELinux in Target/Enabled
> mode.
> 
> My knowledge is very limited with SELinux and I'm trying to learn the proper
> way to troubleshoot/resolve issues on my own, and hopefully I can use
> this as my firts learning curve with it.
> 
> Thanks for any suggestions.
> 
> ---------------------------------------------------------------------------------------------------------------
> Summary:
> 
> SELinux is preventing ping (ping_t) "read" to
> /var/spool/nagios/cmd/nagios.cmd
> (nagios_spool_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by ping. It is not expected that this access
> is
> required by ping and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:ping_t:s0
> Target Context                unconfined_u:object_r:nagios_spool_t:s0
> Target Objects                /var/spool/nagios/cmd/nagios.cmd [ fifo_file ]
> Source                        ping
> Source Path                   /bin/ping
> Port                          <Unknown>
> Host                         xxxxxxxxxx
> Source RPM Packages           iputils-20071127-2.fc9
> Target RPM Packages
> Policy RPM                    selinux-policy-3.3.1-84.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     xxxxxxxxxxxxxx
> Platform                      Linux xxxxxxxxxxxxx 2.6.25.14-108.fc9.i686 #1
>                               SMP Mon Aug 4 14:08:11 EDT 2008 i686 i686
> Alert Count                   23
> First Seen                    Sun 17 Aug 2008 02:06:45 AM EDT
> Last Seen                     Mon 18 Aug 2008 06:11:31 PM EDT
> Local ID                      67986880-653f-455c-88bb-5598d451bb14
> Line Numbers
> 
> Raw Audit Messages
> 
> host=xxxxxxxxxxx type=AVC msg=audit(1219097491.87:211): avc:  denied  { read
> } for  pid=6420 comm="ping" path="/var/spool/nagios/cmd/nagios.cmd" dev=dm-0
> ino=728571 scontext=system_u:system_r:ping_t:s0
> tcontext=unconfined_u:object_r:nagios_spool_t:s0 tclass=fifo_file
> 
> host=xxxxxxxxxxxxx type=SYSCALL msg=audit(1219097491.87:211): arch=40000003
> syscall=11 success=yes exit=0 a0=96dda38 a1=96ddb18 a2=bfec6ae4 a3=0 items=0
> ppid=6419 pid=6420 auid=4294967295 uid=493 gid=489 euid=0 suid=0 fsuid=0
> egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="ping"
> exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null)
> 
> ---------------------------------------------------------------------------------------------------------
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is a classic leaked file descriptor.  Obviously ping has no
business reading the nagios spool file, it would know nothing about this
file, but nagios has a open file descriptor to the fifo_file when it
execs ping.  ping inherits the open file descriptor.  The kernel checks
the ping policy to see if ping can read the fifo file, when it finds it
can not, it reports a violation, closes the file desctriptor for ping
and reopens it with /dev/null.  It then completes the startup of ping.

You should report this as a bug to nagios.  They should execute
fcntl(fd, F_SETFD, FD_CLOEXEC) on all open file descriptors before
fork/exec of any subprocess.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkir94kACgkQrlYvE4MpobP7pQCfblWcSW3EIrq2eSIMSPYdXE2h
qscAoMsUbUVRp5rs2wOYNp9zsQ0AaaQz
=IyRr
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list