View Issue Details

IDProjectCategoryView StatusLast Update
0006731CentOS-6selinux-policypublic2013-11-11 17:03
Reporterlearath Assigned To 
Status assignedResolutionopen 
Platformx86_64OSCentOSOS Version6.4
Product Version6.4 
Summary0006731: selinux breaks check_mrtgtraf nagios plugin
Descriptionnagios-plugins-mrtgtraf-1.4.16-10.el6.x86_64 is unable to access mrtg logfiles required to function.
Steps To ReproduceEnable selinux with default policy
Install MRTG and monitor one or more devices
Install Nagios and nagios-plugins-mrtgtraf
Define a service in Nagios to monitor an MRTG graph similar to:
define service{
        use generic-service ; Inherit values from a template
        host_name router
        service_description Port 2 Bandwidth Usage
        check_command check_local_mrtgtraf!/var/lib/mrtg/my_router.log!AVG!1000000,1000000!5000000,5000000!10
Additional InformationThis SELinux policy will correct the issue:
require {
        type nagios_system_plugin_t;
        type nagios_t;
        type mrtg_var_lib_t;
        type nagios_log_t;
        type var_lib_t;
        class process { siginh noatsecure rlimitinh };
        class file { write read getattr open };
        class dir search;

#============= nagios_system_plugin_t ==============

#!!!! This avc is allowed in the current policy
allow nagios_system_plugin_t mrtg_var_lib_t:file { read getattr open };
allow nagios_system_plugin_t mrtg_var_lib_t:dir search;
#allow nagios_system_plugin_t nagios_log_t:file write;
allow nagios_system_plugin_t var_lib_t:dir search;

#============= nagios_t ==============
#allow nagios_t nagios_system_plugin_t:process { siginh rlimitinh noatsecure };
TagsNo tags attached.




2013-11-11 16:32

manager   ~0018327

Could you please check from which repo you pull the nagios RPMs? I'm assuming EPEL or repoforge.


2013-11-11 16:33

reporter   ~0018328

yum info nagios-plugins-mrtgtraf
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base:
 * epel:
 * extras:
 * updates:
Installed Packages
Name : nagios-plugins-mrtgtraf
Arch : x86_64
Version : 1.4.16
Release : 10.el6
Size : 39 k
Repo : installed
From repo : epel
Summary : Nagios Plugin - check_mrtgtraf
License : GPLv2+
Description : Provides check_mrtgtraf support for Nagios.


2013-11-11 16:47

manager   ~0018329

That nagios-packages are not provided by CentOS. The EPEL support venues would be better suited for this issue.


2013-11-11 16:55

reporter   ~0018330

The bug is in
Available Packages
Name : selinux-policy-targeted
Arch : noarch
Version : 3.7.19
Release : 195.el6_4.18
Size : 2.8 M
Repo : updates
Summary : SELinux targeted base policy
License : GPLv2+
Description : SELinux Reference policy targeted base module.

which provides an incomplete nagios.pp.


2013-11-11 17:03

manager   ~0018331

Please feel free to post this upstream at there bugzilla at No, you don't need an active subscription to do that. Once it gets fixed upstream, CentOS will inherit the fix.

Issue History

Date Modified Username Field Change
2013-11-10 21:00 learath New Issue
2013-11-11 16:32 tigalch Note Added: 0018327
2013-11-11 16:33 learath Note Added: 0018328
2013-11-11 16:47 tigalch Note Added: 0018329
2013-11-11 16:47 tigalch Status new => feedback
2013-11-11 16:55 learath Note Added: 0018330
2013-11-11 16:55 learath Status feedback => assigned
2013-11-11 17:03 tigalch Note Added: 0018331