Generating policies for Nagios on Fedora9 - difficulties

Stephen Smalley sds at tycho.nsa.gov
Thu Nov 6 14:00:08 UTC 2008


On Thu, 2008-11-06 at 12:28 +0100, Dirk H. Schulz wrote:
> Hi folks,
> 
> I have compiled Nagios 3.05 on Fedora9 (all updates current) and now try to 
> get it running together with SELinux.
> 
> I have piped the AVC denials from audit.log to audit2allow and generated 
> policies which I loaded using "semodule -i POLNAME.pp".
> 
> Now I have the weird state that:
> - Nagios still cannot check postfix' mailqueue with check_mailq
> - Nagios still cannot write emails to the mailqueue
> but there is no AVC denials any more in audit.log and Nagios stopped 
> logging to syslog (although it still works as seen on the web pages). There 
> is also no SETroubleshoot messages in /var/log/messages any more.
> 
> Setting "setenforce 0" makes Nagios run smoothly, so the problem is still 
> related SELinux somehow, but since nothing shows up in the logs any more it 
> is quite difficult to troubleshoot.
> 
> Logging in general does work, e. g. I can find a "Error code 69 returned 
> from /usr/bin/mailq" in /var/log/maillog every time Nagios runs the mailq 
> check. Changing the setenforce value leads to an entry in audit.log, so 
> even auditd logging partially works.
> 
> I have even restarted rsyslog with no effect.
> 
> How do I find out why SELinux is not logging completely any more?

semodule -DB will rebuild your policy with all dontaudit rules removed,
such that all denials should be audited (some are suppressed via
dontaudit to silence noise caused by common application/library
probing).  That will then generate a lot of avc messages, many of which
are of no interest and should not be allowed, but you should then be
able to find the one of interest as well.  After finding it, run
semodule -B to rebuild again with your dontaudit rules included.

> And by the way: I also had the phenomenon that auditd claimed lots of 
> denials of ping while Nagios did not have any difficulty pinging - that 
> does not look very trustworthy on the part of SELinux, does it?
> 

We'd have to see the actual avc messages to assess what is really
happening there.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list