View Issue Details

IDProjectCategoryView StatusLast Update
0006731CentOS-6selinux-policypublic2013-11-11 17:03
Reporterlearath 
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Platformx86_64OSCentOSOS Version6.4
Product Version6.4 
Target VersionFixed in Version 
Summary0006731: selinux breaks check_mrtgtraf nagios plugin
Descriptionnagios-plugins-mrtgtraf-1.4.16-10.el6.x86_64 is unable to access mrtg logfiles required to function.
Steps To ReproduceEnable selinux with default policy
Install MRTG and monitor one or more devices
Install Nagios and nagios-plugins-mrtgtraf
Define a service in Nagios to monitor an MRTG graph similar to:
define service{
        use generic-service ; Inherit values from a template
        host_name router
        service_description Port 2 Bandwidth Usage
        check_command check_local_mrtgtraf!/var/lib/mrtg/my_router.log!AVG!1000000,1000000!5000000,5000000!10
        }
Additional InformationThis SELinux policy will correct the issue:
require {
        type nagios_system_plugin_t;
        type nagios_t;
        type mrtg_var_lib_t;
        type nagios_log_t;
        type var_lib_t;
        class process { siginh noatsecure rlimitinh };
        class file { write read getattr open };
        class dir search;
}

#============= nagios_system_plugin_t ==============

#!!!! This avc is allowed in the current policy
allow nagios_system_plugin_t mrtg_var_lib_t:file { read getattr open };
allow nagios_system_plugin_t mrtg_var_lib_t:dir search;
#allow nagios_system_plugin_t nagios_log_t:file write;
allow nagios_system_plugin_t var_lib_t:dir search;

#============= nagios_t ==============
#allow nagios_t nagios_system_plugin_t:process { siginh rlimitinh noatsecure };
TagsNo tags attached.

Activities

tigalch

tigalch

2013-11-11 16:32

manager   ~0018327

Could you please check from which repo you pull the nagios RPMs? I'm assuming EPEL or repoforge.
learath

learath

2013-11-11 16:33

reporter   ~0018328

yum info nagios-plugins-mrtgtraf
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.ash.fastserv.com
 * epel: mirror.symnds.com
 * extras: centos.aol.com
 * updates: centos.mirror.nac.net
Installed Packages
Name : nagios-plugins-mrtgtraf
Arch : x86_64
Version : 1.4.16
Release : 10.el6
Size : 39 k
Repo : installed
From repo : epel
Summary : Nagios Plugin - check_mrtgtraf
URL : http://nagiosplug.sourceforge.net/
License : GPLv2+
Description : Provides check_mrtgtraf support for Nagios.
tigalch

tigalch

2013-11-11 16:47

manager   ~0018329

That nagios-packages are not provided by CentOS. The EPEL support venues would be better suited for this issue.
learath

learath

2013-11-11 16:55

reporter   ~0018330

The bug is in
Available Packages
Name : selinux-policy-targeted
Arch : noarch
Version : 3.7.19
Release : 195.el6_4.18
Size : 2.8 M
Repo : updates
Summary : SELinux targeted base policy
URL : http://oss.tresys.com/repos/refpolicy/
License : GPLv2+
Description : SELinux Reference policy targeted base module.

which provides an incomplete nagios.pp.
tigalch

tigalch

2013-11-11 17:03

manager   ~0018331

Please feel free to post this upstream at there bugzilla at https://bugzilla.redhat.com. No, you don't need an active subscription to do that. Once it gets fixed upstream, CentOS will inherit the fix.

Issue History

Date Modified Username Field Change
2013-11-10 21:00 learath New Issue
2013-11-11 16:32 tigalch Note Added: 0018327
2013-11-11 16:33 learath Note Added: 0018328
2013-11-11 16:47 tigalch Note Added: 0018329
2013-11-11 16:47 tigalch Status new => feedback
2013-11-11 16:55 learath Note Added: 0018330
2013-11-11 16:55 learath Status feedback => assigned
2013-11-11 17:03 tigalch Note Added: 0018331