semodule: Failed!
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 10 19:58:21 UTC 2009
On 11/10/2009 02:44 PM, Dominick Grift wrote:
> On Tue, 2009-11-10 at 11:17 -0800, John Oliver wrote:
>> On Tue, Nov 10, 2009 at 02:51:49PM +0100, Dominick Grift wrote:
>>> On Mon, 2009-11-09 at 15:27 -0800, John Oliver wrote:
>>>> [root at mda-services4 ~]# grep nagios /var/log/audit/audit.log |
>>>> audit2allow
>>>>
>>>>
>>>> #============= nagios_t ==============
>>>> allow nagios_t var_t:dir read;
>>>> [root at mda-services4 ~]# grep nagios /var/log/audit/audit.log |
>>>> audit2allow -M nagios
>>>> ******************** IMPORTANT ***********************
>>>> To make this policy package active, execute:
>>>>
>>>> semodule -i nagios.pp
>>>>
>>>> [root at mda-services4 ~]# semodule -i nagios.pp
>>>> libsepol.print_missing_requirements: nagios's global requirements were
>>>> not met: type/attribute nagios_t
>>>> libsemanage.semanage_link_sandbox: Link packages failed
>>>> semodule: Failed!
>>>>
>>>>
>>>>
>>>> What on Earth does that mean???
>>>>
>>> It means you (probably) did something that is not so smart:
>>>
>>> My guess is that you have overwritten the distributed nagios module.
>>
>> Ahh!
>>
>> Actually, the distributed module wasn't installed at all, as nagios was
>> installed after the fact. So, I removed mine and added the distributed
>> one, and nagios will start. However, there's still at least one rule
>> missing from the distributed module (and yes, I updated the selinux
>> related RPMs):
>>
>> type=AVC msg=audit(1257880340.235:135261): avc: denied { read write }
>> for pid=15599 comm="ping"
>> path="/var/nagios/spool/checkresults/checkemlez9" dev=dm-0 ino=196622
>> scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0
>> tclass=file
>> [root at mda-services4 ~]# tail -50 /var/log/audit/audit.log | grep nagios
>> | audit2allow
>>
>>
>> #============= ping_t ==============
>> allow ping_t var_t:file { read write };
>>
>>
>> libselinux-1.33.4-5.5.el5
>> libselinux-utils-1.33.4-5.5.el5
>> selinux-policy-2.4.6-255.el5_4.1
>> libselinux-python-1.33.4-5.5.el5
>> selinux-policy-targeted-2.4.6-255.el5_4.1
>>
> Yes i bet the nagios policy is full of bugs.
>
> A quick workaround to solve this issue is to label /var/nagios/spool/
> type nagios_spool_t and then use audit2allow to allow ping rw
> nagios_spool_t files:
>
> echo "policy_module(mynagiospatch1, 0.0.1)" > mynagiospatch1.te
> echo "require { type nagios_spool_t, ping_t; }" >> mynagiospatch1.te
> echo "allow ping_t nagios_spool_t:file rw_file_perms;" >>
> mynagiospatch1.te
> echo "/var/nagios/spool(/.*)?
> gen_context(system_u:object_r:nagios_spool_t, s0)" >> mynagiospatch1.te
> make -f /usr/share/selinux/devel/Makefile mynagiospatch1.pp
> semodule -i mynagiospatch1.pp
> restorecon -R -v /var/nagios/spool
>
> Note that this is a ugly workaround and it should be deinstalled as soon
> as a solution is implemented in fedora policy (please report a bug)
>
> My guess is that after this you will probably get more denials.
>
> hth
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Why is nagios using /var/nagios/spool instead of /var/spool/nagios?
More information about the fedora-selinux-list
mailing list