nagios_log_t missing

Mon May 2 15:29:25 UTC 2005

Daniel J Walsh wrote:
> Farkas Levente wrote:
> 
>> Daniel J Walsh wrote:
>>
>>> Farkas Levente wrote:
>>>
>>>> hi,
>>>> there is a nagios_log_t and used in nagios.fc but never defined 
>>>> (missing). so when we try to apply it we got these errors:
>>>> ---------------------------------------------
>>>> # chcon -R -t nagios_log_t /var/log/nagios
>>>> chcon: failed to change context of /var/log/nagios to 
>>>> system_u:object_r:nagios_log_t: Invalid argument
>>>> chcon: failed to change context of /var/log/nagios/rw to 
>>>> system_u:object_r:nagios_log_t: Invalid argument
>>>> chcon: failed to change context of /var/log/nagios/archives to 
>>>> system_u:object_r:nagios_log_t: Invalid argument
>>>> chcon: failed to change context of /var/log/nagios/.bash_history to 
>>>> user_u:object_r:nagios_log_t: Invalid argument
>>>> ---------------------------------------------
>>>> how can i fix it?
>>>> dan could you create updated rpms which fix it in 
>>>> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/ ?:-)
>>>> yours.
>>>>
>>> nagios policy is not used in RHEL4.  It should run unconfined_t.  We 
>>> are only supporting the subset of network daemons in targeted policy.
>>>
>>> Using strict or other policies in RHEL4 requires a separate support 
>>> contract, professional services engagement.
>>
>>
>>
>> ok. i only think that if nagios_log_t used in the current 
>> selinux-policy-targeted than (in nagios.fc) than it should have to be 
>> defined also. but it's definition currently missing from 
>> selinux-policy-targeted, which is imho a bug. that's what i'd like to 
>> report.
> 
> 
> We do not strip out fc files that we do not support.  The way the make 
> file and hence the RPM works is it looks for *.te files in the 
> domains/program directory and uses those names to choose the 
> file_context files.  We want to use the same policy source pool to
> supoort targeted, strict, mls ... policy.  And therefore get the best 
> bang for the buck from the open source community.  So think of the
> policy-src files like you do kernel sources.  Just because there is 
> stuff in there does not mean we support them.

the question what does the 'support' means? ie. in the kernel source 
there are unused part (ie. not compiled in the current kernel), but you 
can recompile it so you can use that part to. which means the source are 
coherent and there is not any reference to undefine type. in this case 
nagios.fc refere to a type nagios_log_t which is not defined anywhere. 
since you delete all unused .te files why? if you don't strip fc files 
while do you strip te files? why dont you simple ship with the 
policy-source and those who would like to use unsupported programs can 
simple add it (moved from unused to ..) and make reload. that owuld be 
much better, easier and cleaner the the current case when everyone start 
to hack their own systems. i'm sure many system used a few unsupported 
daemons.

>> another thing even if nagios run in unconfined_t is ok since the log 
>> files can be generated and the daemon is running, but the web 
>> interface of nagios not working since it's try to read it's log files 
>> under /var/log/nagios which is currently var_log_t (inherited from 
>> it's parent). so currently i've a few options:
>> - add a local.te as:
>>   allow httpd_sys_script_t var_log_t:dir search;
>>   allow httpd_sys_script_t var_log_t:file { getattr read };
>> - change /var/log/nagios to httpd_sys_content_t and add only
>>   allow httpd_sys_script_t var_log_t:dir search;
>> - change /var/log/nagios to nagios_log_t and add
>>   allow httpd_sys_script_t var_log_t:dir search;
>>   allow httpd_sys_script_t nagios_log_t:file { getattr read };
>> and imho the best solution would be to add this last one to the global 
>> policy.
>> yours.
>>
> How about adding
> chcon -R -t httpd_sys_script_ro_t /var/log/nagios
> 
> Then you don't need to change policy at all

still need to add:
allow httpd_sys_script_t var_log_t:dir search;

-- 
   Levente                               "Si vis pacem para bellum!"