FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 08-18-2008, 10:18 PM
dbcooper
 
Default SELinux and Nagios (Fedora 9 + Nagios)

Hello,

I've setup (via default yum repos) Nagios (nagios-2.11-3.fc9.i386 and all the needed plugs).

I'm getting the following messages when using SELinux in Target/Enabled mode.


My knowledge is very limited with SELinux and I'm trying to learn the proper way to troubleshoot/resolve issues on my own, and hopefully I can use
this as my firts learning curve with it.

Thanks for any suggestions.


---------------------------------------------------------------------------------------------------------------
Summary:

SELinux is preventing ping (ping_t) "read" to /var/spool/nagios/cmd/nagios.cmd

(nagios_spool_t).

Detailed Description:

SELinux denied access requested by ping. It is not expected that this access is
required by ping and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is

causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable

SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

against this package.

Additional Information:

Source Context*************** system_u:system_ring_t:s0
Target Context*************** unconfined_ubject_r:nagios_spool_t:s0
Target Objects*************** /var/spool/nagios/cmd/nagios.cmd [ fifo_file ]

Source*********************** ping
Source Path****************** /bin/ping
Port************************* <Unknown>
Host************************ xxxxxxxxxx
Source RPM Packages********** iputils-20071127-2.fc9

Target RPM Packages**********
Policy RPM******************* selinux-policy-3.3.1-84.fc9
Selinux Enabled************** True
Policy Type****************** targeted
MLS Enabled****************** True
Enforcing Mode*************** Enforcing

Plugin Name****************** catchall
Host Name******************** xxxxxxxxxxxxxx
Platform********************* Linux xxxxxxxxxxxxx 2.6.25.14-108.fc9.i686 #1
***************************** SMP Mon Aug 4 14:08:11 EDT 2008 i686 i686

Alert Count****************** 23
First Seen******************* Sun 17 Aug 2008 02:06:45 AM EDT
Last Seen******************** Mon 18 Aug 2008 06:11:31 PM EDT
Local ID********************* 67986880-653f-455c-88bb-5598d451bb14

Line Numbers*****************

Raw Audit Messages***********

host=xxxxxxxxxxx type=AVC msg=audit(1219097491.87:211): avc:* denied* { read } for* pid=6420 comm="ping" path="/var/spool/nagios/cmd/nagios.cmd" dev=dm-0 ino=728571 scontext=system_u:system_ring_t:s0 tcontext=unconfined_ubject_r:nagios_spool_t:s0 tclass=fifo_file


host=xxxxxxxxxxxxx type=SYSCALL msg=audit(1219097491.87:211): arch=40000003 syscall=11 success=yes exit=0 a0=96dda38 a1=96ddb18 a2=bfec6ae4 a3=0 items=0 ppid=6419 pid=6420 auid=4294967295 uid=493 gid=489 euid=0 suid=0 fsuid=0 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_ring_t:s0 key=(null)


---------------------------------------------------------------------------------------------------------



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-19-2008, 08:31 AM
Ingemar Nilsson
 
Default SELinux and Nagios (Fedora 9 + Nagios)

dbcooper wrote:

I've setup (via default yum repos) Nagios (nagios-2.11-3.fc9.i386 and
all the needed plugs).


I'm getting the following messages when using SELinux in Target/Enabled
mode.


My knowledge is very limited with SELinux and I'm trying to learn the
proper way to troubleshoot/resolve issues on my own, and hopefully I can use

this as my firts learning curve with it.

Thanks for any suggestions.

---------------------------------------------------------------------------------------------------------------
Summary:

SELinux is preventing ping (ping_t) "read" to
/var/spool/nagios/cmd/nagios.cmd

(nagios_spool_t).


I got that one too (on CentOS 5.1 and Nagios 2.12), but since I couldn't
fathom why ping should be able to read the nagios.cmd file, and ping
seemed to work anyway, I created an SELinux policy module that skipped
writing those messages to the audit log. In other words, I piped the
audit log message through "audit2allow -M nagiosping", which creates two
files, nagiosping.te and nagiosping.pp.


The .te file is the policy module source file, and the .pp file is the
binary package generated by compiling the source file. I edited the
source file and changed the "allow" to "dontaudit", with everything else
kept as it was. Then I compiled the module:


checkmodule -M -m -o nagiosping.mod nagiosping.te
semodule_package -m nagiosping.mod -o nagiosping.pp
rm nagiosping.mod

You need the checkpolicy package for the checkmodule command, and the
policycoreutils package for the semodule and semodule_package commands.
The .mod file is a temporary file, that's why I removed it. Then I
inserted it into the kernel:


semodule -i nagiosping.pp

And tada, no more "ping can't read from nagios.cmd" messages in the
audit log.


Regards
Ingemar

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-20-2008, 10:52 AM
Daniel J Walsh
 
Default SELinux and Nagios (Fedora 9 + Nagios)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dbcooper wrote:
> Hello,
>
> I've setup (via default yum repos) Nagios (nagios-2.11-3.fc9.i386 and all
> the needed plugs).
>
> I'm getting the following messages when using SELinux in Target/Enabled
> mode.
>
> My knowledge is very limited with SELinux and I'm trying to learn the proper
> way to troubleshoot/resolve issues on my own, and hopefully I can use
> this as my firts learning curve with it.
>
> Thanks for any suggestions.
>
> ---------------------------------------------------------------------------------------------------------------
> Summary:
>
> SELinux is preventing ping (ping_t) "read" to
> /var/spool/nagios/cmd/nagios.cmd
> (nagios_spool_t).
>
> Detailed Description:
>
> SELinux denied access requested by ping. It is not expected that this access
> is
> required by ping and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_ring_t:s0
> Target Context unconfined_ubject_r:nagios_spool_t:s0
> Target Objects /var/spool/nagios/cmd/nagios.cmd [ fifo_file ]
> Source ping
> Source Path /bin/ping
> Port <Unknown>
> Host xxxxxxxxxx
> Source RPM Packages iputils-20071127-2.fc9
> Target RPM Packages
> Policy RPM selinux-policy-3.3.1-84.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name xxxxxxxxxxxxxx
> Platform Linux xxxxxxxxxxxxx 2.6.25.14-108.fc9.i686 #1
> SMP Mon Aug 4 14:08:11 EDT 2008 i686 i686
> Alert Count 23
> First Seen Sun 17 Aug 2008 02:06:45 AM EDT
> Last Seen Mon 18 Aug 2008 06:11:31 PM EDT
> Local ID 67986880-653f-455c-88bb-5598d451bb14
> Line Numbers
>
> Raw Audit Messages
>
> host=xxxxxxxxxxx type=AVC msg=audit(1219097491.87:211): avc: denied { read
> } for pid=6420 comm="ping" path="/var/spool/nagios/cmd/nagios.cmd" dev=dm-0
> ino=728571 scontext=system_u:system_ring_t:s0
> tcontext=unconfined_ubject_r:nagios_spool_t:s0 tclass=fifo_file
>
> host=xxxxxxxxxxxxx type=SYSCALL msg=audit(1219097491.87:211): arch=40000003
> syscall=11 success=yes exit=0 a0=96dda38 a1=96ddb18 a2=bfec6ae4 a3=0 items=0
> ppid=6419 pid=6420 auid=4294967295 uid=493 gid=489 euid=0 suid=0 fsuid=0
> egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="ping"
> exe="/bin/ping" subj=system_u:system_ring_t:s0 key=(null)
>
> ---------------------------------------------------------------------------------------------------------
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is a classic leaked file descriptor. Obviously ping has no
business reading the nagios spool file, it would know nothing about this
file, but nagios has a open file descriptor to the fifo_file when it
execs ping. ping inherits the open file descriptor. The kernel checks
the ping policy to see if ping can read the fifo file, when it finds it
can not, it reports a violation, closes the file desctriptor for ping
and reopens it with /dev/null. It then completes the startup of ping.

You should report this as a bug to nagios. They should execute
fcntl(fd, F_SETFD, FD_CLOEXEC) on all open file descriptors before
fork/exec of any subprocess.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkir94kACgkQrlYvE4MpobP7pQCfblWcSW3EIr q2eSIMSPYdXE2h
qscAoMsUbUVRp5rs2wOYNp9zsQ0AaaQz
=IyRr
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 05:58 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org