FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-15-2012, 10:37 AM
Jonathan Gazeley
 
Default No audit lines produced

I'm trying to debug a Nagios plugin that isn't playing nicely with
SELinux. It executes a system binary to get statistics about DHCP pool
usage, and obviously SELinux stamps on that access and the plugin only
returns partial data.


In Permissive mode the plugin works, it Enforcing it doesn't. But in
neither mode are there any debug messages in audit.log


[jg4461@dhcp1 ~]$ sudo setenforce 0
[jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90


[jg4461@dhcp1 ~]$ sudo setenforce 1
[jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools

OK - all pools less than 80% full |

Regardless of the SELinux mode, the same 3 log lines are printed in
audit.log:


type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/"
cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success'
type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=?
addr=? terminal=? res=success'



Anyone have any idea how I can see the deny messages and make a policy
from them?


Cheers,
Jonathan
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-15-2012, 12:09 PM
Dominick Grift
 
Default No audit lines produced

Run semodule -DB to build a policy database without the dontaudit rules.
Run semodule -B to build a policy database (with the dontaudit rules
included)

On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote:
> I'm trying to debug a Nagios plugin that isn't playing nicely with
> SELinux. It executes a system binary to get statistics about DHCP pool
> usage, and obviously SELinux stamps on that access and the plugin only
> returns partial data.
>
> In Permissive mode the plugin works, it Enforcing it doesn't. But in
> neither mode are there any debug messages in audit.log
>
> [jg4461@dhcp1 ~]$ sudo setenforce 0
> [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
> check_dhcpd_pools
> OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
> rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
> rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
> rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
> rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
> rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
> rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
>
> [jg4461@dhcp1 ~]$ sudo setenforce 1
> [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
> check_dhcpd_pools
> OK - all pools less than 80% full |
>
> Regardless of the SELinux mode, the same 3 log lines are printed in
> audit.log:
>
> type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0
> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/"
> cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success'
> type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0
> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
> msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=?
> terminal=? res=success'
> type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0
> auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
> msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=?
> addr=? terminal=? res=success'
>
>
> Anyone have any idea how I can see the deny messages and make a policy
> from them?
>
> Cheers,
> Jonathan
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-16-2012, 04:38 PM
Miroslav Grepl
 
Default No audit lines produced

On 05/15/2012 12:09 PM, Dominick Grift wrote:

Run semodule -DB to build a policy database without the dontaudit rules.
Run semodule -B to build a policy database (with the dontaudit rules
included)

On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote:

I'm trying to debug a Nagios plugin that isn't playing nicely with
SELinux. It executes a system binary to get statistics about DHCP pool
usage, and obviously SELinux stamps on that access and the plugin only
returns partial data.

In Permissive mode the plugin works, it Enforcing it doesn't. But in
neither mode are there any debug messages in audit.log

[jg4461@dhcp1 ~]$ sudo setenforce 0
[jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90

[jg4461@dhcp1 ~]$ sudo setenforce 1
[jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full |

Regardless of the SELinux mode, the same 3 log lines are printed in
audit.log:

type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/"
cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success'
type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=?
addr=? terminal=? res=success'


Anyone have any idea how I can see the deny messages and make a policy
from them?

Cheers,
Jonathan
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

So execute

# semodule -DB
re-test it
# ausearch -m avc -ts recent
# semodule -B


Also we will need to add labeling for the check_dhcpd_pools plugin.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org