Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Fedora13 breaks nagios (http://www.linux-archive.org/fedora-selinux-support/376059-fedora13-breaks-nagios.html)

Vadym Chepkov 05-25-2010 05:11 PM

Fedora13 breaks nagios
 
Hi,

It seems some changes in were introduced in Fedora 13 that broke nagios.

audit2allow suggests

#============= nagios_t ==============
files_read_usr_files(nagios_t)

seems reasonable :

time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.739:39): arch=c000003e syscall=4 success=yes exit=0 a0=2658a10 a1=7fffd5ad5590 a2=7fffd5ad5590 a3=20 items=0 ppid=1602 pid=1612
auid=0 uid=494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:na
gios_t:s0 key=(null)
type=AVC msg=audit(1274807269.739:39): avc: denied { getattr } for pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.739:40): arch=c000003e syscall=2 success=yes exit=128 a0=2658a70 a1=0 a2=1b6 a3=7f1b126c2770 items=0 ppid=1602 pid=1612 auid=0
uid=494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:nagios_t:s0 key=(null)
type=AVC msg=audit(1274807269.739:40): avc: denied { open } for pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nag
ios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1274807269.739:40): avc: denied { read } for pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.740:41): arch=c000003e syscall=16 success=yes exit=128 a0=5 a1=5401 a2=7fffd5ad5300 a3=48 items=0 ppid=1602 pid=1612 auid=0 uid
=494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:nagios_t:s0 k
ey=(null)
type=AVC msg=audit(1274807269.740:41): avc: denied { ioctl } for pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----



#============= ping_t ==============
allow ping_t nagios_log_t:file { read write };

but I think some transition is missing for ping_t -> nagios_t here


time->Tue May 25 13:08:08 2010
type=SYSCALL msg=audit(1274807288.135:43): arch=c000003e syscall=59 success=yes exit=0 a0=1d50730 a1=1d50760 a2=7fffe1999de0 a3=7fffe1999b40 items=0 ppid=1647 id=1648 auid=0 uid=494 gid=488 euid=0 suid=0 fsuid=0 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="ping" exe="/bin/ping" subj=unconfined_u:system_r:ping_t:s0 key=(null)
type=AVC msg=audit(1274807288.135:43): avc: denied { read write } for pid=1648 comm="ping" path="/var/log/nagios/spool/checkresults/checkhvg3ZF" dev=dm-2 in=3824 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:nagios_log_t:s0 tclass=file


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 05-25-2010 06:10 PM

Fedora13 breaks nagios
 
On Tue, May 25, 2010 at 01:11:27PM -0400, Vadym Chepkov wrote:
> Hi,
>
> It seems some changes in were introduced in Fedora 13 that broke nagios.
>
> audit2allow suggests
>
> #============= nagios_t ==============
> files_read_usr_files(nagios_t)
>
> seems reasonable :

yes

>
> time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.739:39): arch=c000003e syscall=4 success=yes exit=0 a0=2658a10 a1=7fffd5ad5590 a2=7fffd5ad5590 a3=20 items=0 ppid=1602 pid=1612
> auid=0 uid=494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:na
> gios_t:s0 key=(null)
> type=AVC msg=audit(1274807269.739:39): avc: denied { getattr } for pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
> time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.739:40): arch=c000003e syscall=2 success=yes exit=128 a0=2658a70 a1=0 a2=1b6 a3=7f1b126c2770 items=0 ppid=1602 pid=1612 auid=0
> uid=494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:nagios_t:s0 key=(null)
> type=AVC msg=audit(1274807269.739:40): avc: denied { open } for pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nag
> ios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
> type=AVC msg=audit(1274807269.739:40): avc: denied { read } for pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
> time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.740:41): arch=c000003e syscall=16 success=yes exit=128 a0=5 a1=5401 a2=7fffd5ad5300 a3=48 items=0 ppid=1602 pid=1612 auid=0 uid
> =494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:nagios_t:s0 k
> ey=(null)
> type=AVC msg=audit(1274807269.740:41): avc: denied { ioctl } for pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
>
>
>
> #============= ping_t ==============
> allow ping_t nagios_log_t:file { read write };
>
> but I think some transition is missing for ping_t -> nagios_t here

Actually its the other way around.

There is a domain transition for nagios_t to ping_t which probably should be removed:

netutils_domtrans_ping(nagios_t)

.. and be replaced by:

netutils_exec(nagios_t)

Could you please report a bug for this?

>
>
> time->Tue May 25 13:08:08 2010
> type=SYSCALL msg=audit(1274807288.135:43): arch=c000003e syscall=59 success=yes exit=0 a0=1d50730 a1=1d50760 a2=7fffe1999de0 a3=7fffe1999b40 items=0 ppid=1647 id=1648 auid=0 uid=494 gid=488 euid=0 suid=0 fsuid=0 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="ping" exe="/bin/ping" subj=unconfined_u:system_r:ping_t:s0 key=(null)
> type=AVC msg=audit(1274807288.135:43): avc: denied { read write } for pid=1648 comm="ping" path="/var/log/nagios/spool/checkresults/checkhvg3ZF" dev=dm-2 in=3824 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:nagios_log_t:s0 tclass=file
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 05-25-2010 06:21 PM

Fedora13 breaks nagios
 
On Tue, May 25, 2010 at 01:11:27PM -0400, Vadym Chepkov wrote:
> Hi,
>
> It seems some changes in were introduced in Fedora 13 that broke nagios.
>
> audit2allow suggests
>
> #============= nagios_t ==============
> files_read_usr_files(nagios_t)
>
> seems reasonable :
>
> time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.739:39): arch=c000003e syscall=4 success=yes exit=0 a0=2658a10 a1=7fffd5ad5590 a2=7fffd5ad5590 a3=20 items=0 ppid=1602 pid=1612
> auid=0 uid=494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:na
> gios_t:s0 key=(null)
> type=AVC msg=audit(1274807269.739:39): avc: denied { getattr } for pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
> time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.739:40): arch=c000003e syscall=2 success=yes exit=128 a0=2658a70 a1=0 a2=1b6 a3=7f1b126c2770 items=0 ppid=1602 pid=1612 auid=0
> uid=494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:nagios_t:s0 key=(null)
> type=AVC msg=audit(1274807269.739:40): avc: denied { open } for pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nag
> ios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
> type=AVC msg=audit(1274807269.739:40): avc: denied { read } for pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
> time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.740:41): arch=c000003e syscall=16 success=yes exit=128 a0=5 a1=5401 a2=7fffd5ad5300 a3=48 items=0 ppid=1602 pid=1612 auid=0 uid
> =494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:nagios_t:s0 k
> ey=(null)
> type=AVC msg=audit(1274807269.740:41): avc: denied { ioctl } for pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
>
>
>
> #============= ping_t ==============
> allow ping_t nagios_log_t:file { read write };
>
> but I think some transition is missing for ping_t -> nagios_t here

Whoops
I meant netutils_exec_ping(nagios_t) in my previous reply.
>
>
> time->Tue May 25 13:08:08 2010
> type=SYSCALL msg=audit(1274807288.135:43): arch=c000003e syscall=59 success=yes exit=0 a0=1d50730 a1=1d50760 a2=7fffe1999de0 a3=7fffe1999b40 items=0 ppid=1647 id=1648 auid=0 uid=494 gid=488 euid=0 suid=0 fsuid=0 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="ping" exe="/bin/ping" subj=unconfined_u:system_r:ping_t:s0 key=(null)
> type=AVC msg=audit(1274807288.135:43): avc: denied { read write } for pid=1648 comm="ping" path="/var/log/nagios/spool/checkresults/checkhvg3ZF" dev=dm-2 in=3824 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:nagios_log_t:s0 tclass=file
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Miroslav Grepl 05-26-2010 09:26 AM

Fedora13 breaks nagios
 
On 05/25/2010 08:10 PM, Dominick Grift wrote:

On Tue, May 25, 2010 at 01:11:27PM -0400, Vadym Chepkov wrote:


Hi,

It seems some changes in were introduced in Fedora 13 that broke nagios.

audit2allow suggests

#============= nagios_t ==============
files_read_usr_files(nagios_t)

seems reasonable :



yes




time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.739:39): arch=c000003e syscall=4 success=yes exit=0 a0=2658a10 a1=7fffd5ad5590 a2=7fffd5ad5590 a3=20 items=0 ppid=1602 pid=1612
auid=0 uid=494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:na
gios_t:s0 key=(null)
type=AVC msg=audit(1274807269.739:39): avc: denied { getattr } for pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.739:40): arch=c000003e syscall=2 success=yes exit=128 a0=2658a70 a1=0 a2=1b6 a3=7f1b126c2770 items=0 ppid=1602 pid=1612 auid=0
uid=494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:nagios_t:s0 key=(null)
type=AVC msg=audit(1274807269.739:40): avc: denied { open } for pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nag
ios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1274807269.739:40): avc: denied { read } for pid=1612 comm="nagios" name="strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----
time->Tue May 25 13:07:49 2010type=SYSCALL msg=audit(1274807269.740:41): arch=c000003e syscall=16 success=yes exit=128 a0=5 a1=5401 a2=7fffd5ad5300 a3=48 items=0 ppid=1602 pid=1612 auid=0 uid
=494 gid=488 euid=494 suid=494 fsuid=494 egid=488 sgid=488 fsgid=488 tty=hvc0 ses=1 comm="nagios" exe="/usr/sbin/nagios" subj=unconfined_u:system_r:nagios_t:s0 k
ey=(null)
type=AVC msg=audit(1274807269.740:41): avc: denied { ioctl } for pid=1612 comm="nagios" path="/usr/share/perl5/strict.pm" dev=dm-4 ino=138658 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file----



#============= ping_t ==============
allow ping_t nagios_log_t:file { read write };

but I think some transition is missing for ping_t -> nagios_t here



Actually its the other way around.

There is a domain transition for nagios_t to ping_t which probably should be removed:

netutils_domtrans_ping(nagios_t)

.. and be replaced by:

netutils_exec(nagios_t)

Could you please report a bug for this?



Actually this is a leaked descriptor. There is a domain transition for
check_ping plugin that runs in nagios_services_plugin_t domain



netutils_domtrans_ping(nagios_services_plugin_t)



and I want to keep it. But we can remove



netutils_domtrans_ping(nagios_t)



and we will dontaudit



avc: denied { read write } for pid=1648 comm="ping" path="/var/log/nagios/spool/checkresults/checkhvg3ZF" dev=dm-2 in=3824 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:nagios_log_t:s0 tclass=file


Regards,

Miroslav






time->Tue May 25 13:08:08 2010
type=SYSCALL msg=audit(1274807288.135:43): arch=c000003e syscall=59 success=yes exit=0 a0=1d50730 a1=1d50760 a2=7fffe1999de0 a3=7fffe1999b40 items=0 ppid=1647 id=1648 auid=0 uid=494 gid=488 euid=0 suid=0 fsuid=0 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="ping" exe="/bin/ping" subj=unconfined_u:system_r:ping_t:s0 key=(null)
type=AVC msg=audit(1274807288.135:43): avc: denied { read write } for pid=1648 comm="ping" path="/var/log/nagios/spool/checkresults/checkhvg3ZF" dev=dm-2 in=3824 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:nagios_log_t:s0 tclass=file


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux






--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 05:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.