semodule: Failed!

John Oliver joliver at john-oliver.net
Tue Nov 10 19:17:16 UTC 2009


On Tue, Nov 10, 2009 at 02:51:49PM +0100, Dominick Grift wrote:
> On Mon, 2009-11-09 at 15:27 -0800, John Oliver wrote:
> > [root at mda-services4 ~]# grep nagios /var/log/audit/audit.log |
> > audit2allow
> > 
> > 
> > #============= nagios_t ==============
> > allow nagios_t var_t:dir read;
> > [root at mda-services4 ~]# grep nagios /var/log/audit/audit.log |
> > audit2allow -M nagios
> > ******************** IMPORTANT ***********************
> > To make this policy package active, execute:
> > 
> > semodule -i nagios.pp
> > 
> > [root at mda-services4 ~]# semodule -i nagios.pp
> > libsepol.print_missing_requirements: nagios's global requirements were
> > not met: type/attribute nagios_t
> > libsemanage.semanage_link_sandbox: Link packages failed
> > semodule:  Failed!
> > 
> > 
> > 
> > What on Earth does that mean???
> > 
> It means you (probably) did something that is not so smart:
> 
> My guess is that you have overwritten the distributed nagios module.

Ahh!

Actually, the distributed module wasn't installed at all, as nagios was
installed after the fact.  So, I removed mine and added the distributed
one, and nagios will start.  However, there's still at least one rule
missing from the distributed module (and yes, I updated the selinux
related RPMs):

type=AVC msg=audit(1257880340.235:135261): avc:  denied  { read write }
for  pid=15599 comm="ping"
path="/var/nagios/spool/checkresults/checkemlez9" dev=dm-0 ino=196622
scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0
tclass=file
[root at mda-services4 ~]# tail -50 /var/log/audit/audit.log | grep nagios
| audit2allow


#============= ping_t ==============
allow ping_t var_t:file { read write };


libselinux-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
selinux-policy-2.4.6-255.el5_4.1
libselinux-python-1.33.4-5.5.el5
selinux-policy-targeted-2.4.6-255.el5_4.1

-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************




More information about the fedora-selinux-list mailing list