I'm trying to debug a Nagios plugin that isn't playing nicely with
SELinux. It executes a system binary to get statistics about DHCP pool
usage, and obviously SELinux stamps on that access and the plugin only
returns partial data.
In Permissive mode the plugin works, it Enforcing it doesn't. But in
neither mode are there any debug messages in audit.log
[jg4461@dhcp1 ~]$ sudo setenforce 0
[jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
Anyone have any idea how I can see the deny messages and make a policy
from them?
Cheers,
Jonathan
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
05-15-2012, 12:09 PM
Dominick Grift
No audit lines produced
Run semodule -DB to build a policy database without the dontaudit rules.
Run semodule -B to build a policy database (with the dontaudit rules
included)
On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote:
> I'm trying to debug a Nagios plugin that isn't playing nicely with
> SELinux. It executes a system binary to get statistics about DHCP pool
> usage, and obviously SELinux stamps on that access and the plugin only
> returns partial data.
>
> In Permissive mode the plugin works, it Enforcing it doesn't. But in
> neither mode are there any debug messages in audit.log
>
> [jg4461@dhcp1 ~]$ sudo setenforce 0
> [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
> check_dhcpd_pools
> OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
> rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
> rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
> rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
> rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
> rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
> rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
>
> [jg4461@dhcp1 ~]$ sudo setenforce 1
> [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
> check_dhcpd_pools
> OK - all pools less than 80% full |
>
> Regardless of the SELinux mode, the same 3 log lines are printed in
> audit.log:
>
> type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0
> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/"
> cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success'
> type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0
> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
> msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=?
> terminal=? res=success'
> type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0
> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
> msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=?
> addr=? terminal=? res=success'
>
>
> Anyone have any idea how I can see the deny messages and make a policy
> from them?
>
> Cheers,
> Jonathan
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
05-16-2012, 04:38 PM
Miroslav Grepl
No audit lines produced
On 05/15/2012 12:09 PM, Dominick Grift wrote:
Run semodule -DB to build a policy database without the dontaudit rules.
Run semodule -B to build a policy database (with the dontaudit rules
included)
On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote:
I'm trying to debug a Nagios plugin that isn't playing nicely with
SELinux. It executes a system binary to get statistics about DHCP pool
usage, and obviously SELinux stamps on that access and the plugin only
returns partial data.
In Permissive mode the plugin works, it Enforcing it doesn't. But in
neither mode are there any debug messages in audit.log
[jg4461@dhcp1 ~]$ sudo setenforce 0
[jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
[jg4461@dhcp1 ~]$ sudo setenforce 1
[jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full |
Regardless of the SELinux mode, the same 3 log lines are printed in
audit.log:
No audit lines produced
