FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-17-2012, 02:00 PM
Jonathan Gazeley
 
Default Problems auditing yum behaviour

Hi list,

We recently migrated all our servers from CentOS 5 to 6 and in the
process we decided to default to keeping SELinux on, and learning how to
configure it properly


So far we've had good success with setting booleans and writing custom
policies, except for one Nagios plugin that checks yum status[1]. On my
boxes, the check_yum plugin is executed under NRPE as a non-privileged
user. This works fine with SELinux in permissive mode.


I've checked the audit log and this message is produced every time the
plugin tries to run:


type=AVC msg=audit(1326802289.462:4127902): avc: denied { read write }
for pid=3278 comm="yum" name="__db.001" dev=sda3 ino=8128221
scontext=unconfined_u:system_r:nagios_services_plu gin_t:s0
tcontext=system_ubject_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1326802289.462:4127902): arch=c000003e syscall=2
success=no exit=-13 a0=1e85440 a1=2 a2=0 a3=16 items=0 ppid=3277
pid=3278 auid=56933 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=87175 comm="yum" exe="/usr/bin/python"
subj=unconfined_u:system_r:nagios_services_plugin_ t:s0 key=(null)


Running this through audit2allow produces this output:

#============= nagios_services_plugin_t ==============
#!!!! This avc is allowed in the current policy
allow nagios_services_plugin_t rpm_var_lib_t:file { read write };

It says the AVC is already allowed, but to make sure I packaged it and
loaded the new module. But, the AVC is still blocked and the plugin
can't run.


I've tried running semodule -DB to force dontaudit entries to be logged
to make sure I haven't missed anything that was being blocked silently.


Am I misisng something else, or is something wrong?

Thanks,
Jonathan

[1]
http://exchange.nagios.org/directory/Plugins/Uncategorized/Operating-Systems/Linux/Check_Yum/details

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-17-2012, 03:23 PM
Daniel J Walsh
 
Default Problems auditing yum behaviour

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/17/2012 10:00 AM, Jonathan Gazeley wrote:
> Hi list,
>
> We recently migrated all our servers from CentOS 5 to 6 and in the
> process we decided to default to keeping SELinux on, and learning
> how to configure it properly
>
> So far we've had good success with setting booleans and writing
> custom policies, except for one Nagios plugin that checks yum
> status[1]. On my boxes, the check_yum plugin is executed under NRPE
> as a non-privileged user. This works fine with SELinux in
> permissive mode.
>
> I've checked the audit log and this message is produced every time
> the plugin tries to run:
>
> type=AVC msg=audit(1326802289.462:4127902): avc: denied { read
> write } for pid=3278 comm="yum" name="__db.001" dev=sda3
> ino=8128221
> scontext=unconfined_u:system_r:nagios_services_plu gin_t:s0
> tcontext=system_ubject_r:rpm_var_lib_t:s0 tclass=file
> type=SYSCALL msg=audit(1326802289.462:4127902): arch=c000003e
> syscall=2 success=no exit=-13 a0=1e85440 a1=2 a2=0 a3=16 items=0
> ppid=3277 pid=3278 auid=56933 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=87175 comm="yum"
> exe="/usr/bin/python"
> subj=unconfined_u:system_r:nagios_services_plugin_ t:s0 key=(null)
>
> Running this through audit2allow produces this output:
>
> #============= nagios_services_plugin_t ============== #!!!! This
> avc is allowed in the current policy allow nagios_services_plugin_t
> rpm_var_lib_t:file { read write };
>
> It says the AVC is already allowed, but to make sure I packaged it
> and loaded the new module. But, the AVC is still blocked and the
> plugin can't run.
>
> I've tried running semodule -DB to force dontaudit entries to be
> logged to make sure I haven't missed anything that was being
> blocked silently.
>
> Am I misisng something else, or is something wrong?
>
> Thanks, Jonathan
>
> [1]
> http://exchange.nagios.org/directory/Plugins/Uncategorized/Operating-Systems/Linux/Check_Yum/details
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Does audit2why say anything?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8VoJ8ACgkQrlYvE4MpobNYwwCgzMdiNDenCf ZXlzsvyyAPhtlJ
tY0AoMludKDic/ApSs0Oo8nT4SLOFpfK
=iLPo
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-17-2012, 05:04 PM
Miroslav Grepl
 
Default Problems auditing yum behaviour

On 01/17/2012 03:00 PM, Jonathan Gazeley wrote:

Hi list,

We recently migrated all our servers from CentOS 5 to 6 and in the
process we decided to default to keeping SELinux on, and learning how
to configure it properly


So far we've had good success with setting booleans and writing custom
policies, except for one Nagios plugin that checks yum status[1]. On
my boxes, the check_yum plugin is executed under NRPE as a
non-privileged user. This works fine with SELinux in permissive mode.


I've checked the audit log and this message is produced every time the
plugin tries to run:


type=AVC msg=audit(1326802289.462:4127902): avc: denied { read write
} for pid=3278 comm="yum" name="__db.001" dev=sda3 ino=8128221
scontext=unconfined_u:system_r:nagios_services_plu gin_t:s0
tcontext=system_ubject_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1326802289.462:4127902): arch=c000003e
syscall=2 success=no exit=-13 a0=1e85440 a1=2 a2=0 a3=16 items=0
ppid=3277 pid=3278 auid=56933 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=87175 comm="yum" exe="/usr/bin/python"
subj=unconfined_u:system_r:nagios_services_plugin_ t:s0 key=(null)


Running this through audit2allow produces this output:

#============= nagios_services_plugin_t ==============
#!!!! This avc is allowed in the current policy
allow nagios_services_plugin_t rpm_var_lib_t:file { read write };

It says the AVC is already allowed, but to make sure I packaged it and
loaded the new module. But, the AVC is still blocked and the plugin
can't run.


I've tried running semodule -DB to force dontaudit entries to be
logged to make sure I haven't missed anything that was being blocked
silently.


Am I misisng something else, or is something wrong?

Thanks,
Jonathan

[1]
http://exchange.nagios.org/directory/Plugins/Uncategorized/Operating-Systems/Linux/Check_Yum/details

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

I guess it works in permissive mode, right?

Could you try these steps

# semodule -d your_local_policy
# semanage permissive -a nagios_services_plugin_t
# setenforce 1
# semodule -DB

and try if this works. If so, could you send me your compressed
/var/log/audit/audit.log?



Regards,
Miroslav




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:43 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org