Check raid causes some messages (new?) And diskcheck causes failures on mountpoints (I have no sugestion on handling that). Reproducible: Always Actual Results: avc: denied { read } for pid=17047 comm="check_raid" name="mdstat" dev=proc ino=4026531968 scontext=system_u:system_r:nrpe_t tcontext=system_u:object_r:proc_mdstat_t tclass=file avc: denied { open } for pid=17047 comm="check_raid" name="mdstat" dev=proc ino=4026531968 scontext=system_u:system_r:nrpe_t tcontext=system_u:object_r:proc_mdstat_t tclass=file avc: denied { ioctl } for pid=17047 comm="check_raid" path="/proc/mdstat" dev=proc ino=4026531968 scontext=system_u:system_r:nrpe_t tcontext=system_u:object_r:proc_mdstat_t tclass=file --- avc: denied { getattr } for pid=16695 comm="check_disk" path="/dev/pts" dev=devpts ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:devpts_t tclass=dir avc: denied { getattr } for pid=16695 comm="check_disk" path="/var" dev=md5 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:var_t tclass=dir avc: denied { getattr } for pid=16695 comm="check_disk" path="/proc/bus/usb" dev=usbfs ino=1427 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:usbfs_t tclass=dir avc: denied { search } for pid=16695 comm="check_disk" name="fs" dev=proc ino=6013 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir avc: denied { getattr } for pid=16695 comm="check_disk" path="/proc/sys/fs/binfmt_misc" dev=binfmt_misc ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir avc: denied { getattr } for pid=16717 comm="check_disk" path="/boot" dev=md2 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:boot_t tclass=dir avc: denied { getattr } for pid=16717 comm="check_disk" path="/data" dev=md7 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:default_t tclass=dir avc: denied { getattr } for pid=16732 comm="check_disk" path="/sys/fs/fuse/connections" dev=fusectl ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:fusefs_t tclass=dir avc: denied { getattr } for pid=16798 comm="check_disk" path="/sys" dev=sysfs ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:sysfs_t tclass=dir avc: denied { getattr } for pid=16798 comm="check_disk" path="/dev/pts" dev=devpts ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:devpts_t tclass=dir avc: denied { search } for pid=16798 comm="check_disk" name="/" dev=sysfs ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:sysfs_t tclass=dir avc: denied { getattr } for pid=16798 comm="check_disk" path="/boot" dev=md2 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:boot_t tclass=dir avc: denied { getattr } for pid=16798 comm="check_disk" path="/var" dev=md5 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:var_t tclass=dir avc: denied { getattr } for pid=16798 comm="check_disk" path="/data" dev=md7 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:default_t tclass=dir avc: denied { getattr } for pid=16798 comm="check_disk" path="/proc/bus/usb" dev=usbfs ino=1427 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:usbfs_t tclass=dir avc: denied { search } for pid=16798 comm="check_disk" name="fs" dev=proc ino=6013 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir avc: denied { getattr } for pid=16798 comm="check_disk" path="/proc/sys/fs/binfmt_misc" dev=binfmt_misc ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir avc: denied { getattr } for pid=16816 comm="check_disk" path="/sys/fs/fuse/connections" dev=fusectl ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:fusefs_t tclass=dir avc: denied { getattr } for pid=16850 comm="check_disk" path="/var" dev=md5 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:var_t tclass=dir avc: denied { getattr } for pid=16893 comm="check_disk" path="/sys" dev=sysfs ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:sysfs_t tclass=dir ------- --The module-- module nrpe 1.0; require { type nrpe_t; type proc_mdstat_t; type system_cronjob_t; class tcp_socket getattr; class unix_dgram_socket getattr; class file { read getattr open ioctl }; } #============= nrpe_t ============== allow nrpe_t proc_mdstat_t:file { read getattr open ioctl }; It look like this bug but appearantly it isn't completely fixed. https://bugs.gentoo.org/show_bug.cgi?id=379199
The cronjob can be liften from the nrpe case, it was a leftover from a false positive on an lsof command. This should be sufficient... ---8<--- module nrpe 1.0; require { type nrpe_t; type proc_mdstat_t; class file { read getattr open ioctl }; } #============= nrpe_t ============== allow nrpe_t proc_mdstat_t:file { read getattr open ioctl };
ACK on the nrpe read access to /proc/mdstat. On the getattr support needed for directories, this should be in place. Can you give me the output of the following two commands? ~# sesearch -t mountpoint -A -d ~# seinfo -amountpoint -x
# sesearch -t mountpoint -A -d Found 5 semantic av rules: allow cupsd_config_t mountpoint : dir { getattr search open } ; allow exim_t mountpoint : dir getattr ; allow consolekit_t mountpoint : dir { getattr search open } ; allow mount_t mountpoint : file { getattr mounton } ; allow mount_t mountpoint : dir { getattr mounton search open } ;
# seinfo -amountpoint -x mountpoint named_conf_t sysctl_fs_t user_home_dir_t mail_spool_t autofs_t capifs_t device_t devpts_t fusefs_t cifs_t dosfs_t file_t nfs_t proc_t ramfs_t spufs_t src_t sysfs_t tmpfs_t usbfs_t vxfs_t xenfs_t ecryptfs_t removable_t user_home_t rpc_pipefs_t proc_xen_t var_log_t vmblock_t binfmt_misc_fs_t anon_inodefs_t home_root_t audit_spool_t cgroup_t squash_t sysctl_t boot_t lib_t mnt_t root_t sysv_t tmp_t usr_t var_t auditd_log_t mqueue_spool_t hugetlbfs_t initrc_state_t default_t iso9660_t var_lib_t var_run_t
If you can explain why you need info i can learn more about How to solve similar problems... TIA
Certainly; The denial I'm focusing on is of the following form: avc: denied { getattr } for pid=16695 comm="check_disk" path="/var" dev=md5 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:var_t tclass=dir In the policy, there is a line that sais: files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) This line translates to: allow nagios_checkdisk_plugin_t mountpoint:dir getattr; In other words, the denial we see shouldn't be there, since var_t has the attribute "mountpoint", so nagios_checkdisk_plugin_t should be able to "getattr" on this directory. This leads me to believe there is a build issue with the module, so I'll work on this first and see if I can reproduce.
Ah <insert expletive here>. That patch apparently isn't included in selinux-nagios-2.20110726-r1. I'll have it in with the -r2 release. From the looks of it, that should have all denials you mentioned fixed. I'll see to have this in hardened-dev overlay as soon as possible.
OK, i'll see the update comming then, and test it.
In hardened-dev overlay
Moved to main portage tree, ~arch'ed.
stabilized
