0006731: selinux breaks check_mrtgtraf nagios plugin - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0006731	CentOS-6	selinux-policy	public	2013-11-10 21:00	2013-11-11 17:03

Reporter	learath	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	assigned	Resolution	open
Platform	x86_64	OS	CentOS	OS Version	6.4
Product Version	6.4

Summary	0006731: selinux breaks check_mrtgtraf nagios plugin
Description	nagios-plugins-mrtgtraf-1.4.16-10.el6.x86_64 is unable to access mrtg logfiles required to function.
Steps To Reproduce	Enable selinux with default policy Install MRTG and monitor one or more devices Install Nagios and nagios-plugins-mrtgtraf Define a service in Nagios to monitor an MRTG graph similar to: define service{ use generic-service ; Inherit values from a template host_name router service_description Port 2 Bandwidth Usage check_command check_local_mrtgtraf!/var/lib/mrtg/my_router.log!AVG!1000000,1000000!5000000,5000000!10 }
Additional Information	This SELinux policy will correct the issue: require { type nagios_system_plugin_t; type nagios_t; type mrtg_var_lib_t; type nagios_log_t; type var_lib_t; class process { siginh noatsecure rlimitinh }; class file { write read getattr open }; class dir search; } #============= nagios_system_plugin_t ============== #!!!! This avc is allowed in the current policy allow nagios_system_plugin_t mrtg_var_lib_t:file { read getattr open }; allow nagios_system_plugin_t mrtg_var_lib_t:dir search; #allow nagios_system_plugin_t nagios_log_t:file write; allow nagios_system_plugin_t var_lib_t:dir search; #============= nagios_t ============== #allow nagios_t nagios_system_plugin_t:process { siginh rlimitinh noatsecure };
Tags	No tags attached.

tigalch 2013-11-11 16:32 manager ~0018327	Could you please check from which repo you pull the nagios RPMs? I'm assuming EPEL or repoforge.

learath 2013-11-11 16:33 reporter ~0018328	yum info nagios-plugins-mrtgtraf Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.ash.fastserv.com * epel: mirror.symnds.com * extras: centos.aol.com * updates: centos.mirror.nac.net Installed Packages Name : nagios-plugins-mrtgtraf Arch : x86_64 Version : 1.4.16 Release : 10.el6 Size : 39 k Repo : installed From repo : epel Summary : Nagios Plugin - check_mrtgtraf URL : http://nagiosplug.sourceforge.net/ License : GPLv2+ Description : Provides check_mrtgtraf support for Nagios.

tigalch 2013-11-11 16:47 manager ~0018329	That nagios-packages are not provided by CentOS. The EPEL support venues would be better suited for this issue.

learath 2013-11-11 16:55 reporter ~0018330	The bug is in Available Packages Name : selinux-policy-targeted Arch : noarch Version : 3.7.19 Release : 195.el6_4.18 Size : 2.8 M Repo : updates Summary : SELinux targeted base policy URL : http://oss.tresys.com/repos/refpolicy/ License : GPLv2+ Description : SELinux Reference policy targeted base module. which provides an incomplete nagios.pp.

tigalch 2013-11-11 17:03 manager ~0018331	Please feel free to post this upstream at there bugzilla at https://bugzilla.redhat.com. No, you don't need an active subscription to do that. Once it gets fixed upstream, CentOS will inherit the fix.

Date Modified	Username	Field	Change
2013-11-10 21:00	learath	New Issue
2013-11-11 16:32	tigalch	Note Added: 0018327
2013-11-11 16:33	learath	Note Added: 0018328
2013-11-11 16:47	tigalch	Note Added: 0018329
2013-11-11 16:47	tigalch	Status	new => feedback
2013-11-11 16:55	learath	Note Added: 0018330
2013-11-11 16:55	learath	Status	feedback => assigned
2013-11-11 17:03	tigalch	Note Added: 0018331