Nagios and SELinux

tail /var/log/messages

Mar 9 23:58:53 wingwu setroubleshoot: SELinux is preventing ping (ping_t) "read write" to /usr/local/nagios/var/spool/checkresults/checkkbOyGH (usr_t). For complete SELinux messages. run sealert -l 19c87c57-986e-45e8-a573-cbb30aba0951

[root@wingwu ~]# sealert -l 19c87c57-986e-45e8-a573-cbb30aba0951

Summary:

SELinux is preventing ping (ping_t) "read write" to
/usr/local/nagios/var/spool/checkresults/checkkbOyGH (usr_t).

Detailed Description:

SELinux denied access requested by ping. It is not expected that this access is
required by ping and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for
/usr/local/nagios/var/spool/checkresults/checkkbOyGH,

restorecon -v '/usr/local/nagios/var/spool/checkresults/checkkbOyGH'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:ping_t
Target Context system_u:object_r:usr_t
Target Objects /usr/local/nagios/var/spool/checkresults/checkkbOy
                              GH [ file ]
Source ping
Source Path /bin/ping
Port <Unknown>
Host wingwu
Source RPM Packages iputils-20020927-46.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-255.el5_4.4
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name wingwu
Platform Linux wingwu 2.6.18-164.11.1.el5 #1 SMP
                              Wed Jan 20 07:39:04 EST 2010 i686 i686
Alert Count 1
First Seen Tue Mar 9 23:58:53 2010
Last Seen Tue Mar 9 23:58:53 2010
Local ID 19c87c57-986e-45e8-a573-cbb30aba0951
Line Numbers

Raw Audit Messages

host=wingwu type=AVC msg=audit(1268150333.223:229): avc: denied { read write } for pid=8372 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checkkbOyGH" dev=hda8 ino=201256 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

host=wingwu type=SYSCALL msg=audit(1268150333.223:229): arch=40000003 syscall=11 success=yes exit=0 a0=9343aa8 a1=9343b40 a2=bfd4dc74 a3=9343b40 items=0 ppid=8371 pid=8372 auid=4294967295 uid=506 gid=510 euid=0 suid=0 fsuid=0 egid=510 sgid=510 fsgid=510 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null)

[root@wingwu ~]# cat /tmp/tmp-nagiosping
host=wingwu type=AVC msg=audit(1268150163.171:228): avc: denied { read write } for pid=8345 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checkQKStFR" dev=hda8 ino=201256 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
host=wingwu type=SYSCALL msg=audit(1268150163.171:228): arch=40000003 syscall=11 success=yes exit=0 a0=8d9eaa8 a1=8d9eb40 a2=bf9465e4 a3=8d9eb40 items=0 ppid=8344 pid=8345 auid=4294967295 uid=506 gid=510 euid=0 suid=0 fsuid=0 egid=510 sgid=510 fsgid=510 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null)

[root@wingwu ~]# audit2allow -M NagiosPing < /tmp/tmp-nagiosping
[root@wingwu ~]# semodule -i NagiosPing.pp

policy_module(nagios-local,1.5.0)

require {
  class fifo_file read;
  class fifo_file getattr;
  class fifo_file write;
  class file {create relabelto getattr};
  class lnk_file {read};
  class process { sigkill signal };
  class udp_socket node_bind;
  type restorecon_t;
  type httpd_t;
  type httpd_sys_content_t;
  type httpd_nagios_script_exec_t;
  type httpd_nagios_script_t;
  type nagios_cgi_t;
  type nagios_t;
  type nagios_etc_t;
  type ping_t;
  type sbin_t;
  type unlabeled_t;
  type inaddr_any_node_t;
  type usr_t;
  type mysqld_etc_t;
  role system_r;
};

# Create a nagios var type
type nagios_var_t;
domain_type(nagios_var_t)
files_type(nagios_var_t)

allow nagios_t sbin_t:dir search;

allow nagios_t nagios_var_t:dir rw_dir_perms;
allow nagios_t nagios_var_t:dir search_dir_perms;
allow nagios_t nagios_var_t:file rw_file_perms;
allow nagios_t nagios_var_t:file create_file_perms;

allow nagios_t nagios_var_t:fifo_file {create read write getattr};

allow ping_t nagios_var_t:fifo_file read;
allow ping_t nagios_var_t:file {read write};

nagios_read_config( httpd_nagios_script_exec_t );
nagios_read_config( httpd_nagios_script_t );
nagios_read_config( nagios_cgi_t );

allow httpd_t nagios_cgi_t:process { sigkill signal };

allow nagios_cgi_t nagios_var_t:fifo_file { getattr write read };
allow nagios_cgi_t nagios_var_t:dir search;

allow httpd_nagios_script_t nagios_var_t:fifo_file {getattr write };

allow httpd_nagios_script_t nagios_var_t:file r_file_perms;
allow httpd_nagios_script_t nagios_var_t:dir r_dir_perms;
allow httpd_nagios_script_t nagios_var_t:dir search_dir_perms;

allow restorecon_t nagios_var_t:file relabelto;

#
# Need this so check_dns will work
allow nagios_t inaddr_any_node_t:udp_socket node_bind;

#
# things that dont matter...
dontaudit httpd_nagios_script_t unlabeled_t:dir search;
dontaudit nagios_t httpd_sys_content_t:dir search;

# check_mysql...
dontaudit nagios_t mysqld_etc_t:file getattr;
dontaudit nagios_t usr_t:file getattr;

#
# rules to let nagios sendmail
allow nagios_t sbin_t:lnk_file read;

/usr/local/nagios/var(/.*)? system_u:object_r:nagios_var_t:s0