Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 379199

Summary: selinux-nagios not allowing nagios-check-disk to check by dir
Product: Gentoo Linux Reporter: Matthew Thode ( prometheanfire ) <prometheanfire>
Component: HardenedAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: prometheanfire, selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-14 20:48:06 UTC 
type=AVC msg=audit(1313354030.767:1459): avc:  denied  { getattr } for  pid=31826 comm="check_disk" path="/var" dev=dm-3 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:var_t tclass=dir
type=SYSCALL msg=audit(1313354030.767:1459): arch=c000003e syscall=4 success=no exit=-13 a0=742d4c3d7495 a1=e6f9f1b110 a2=e6f9f1b110 a3=4 items=0 ppid=31825 pid=31826 auid=0 uid=103 gid=110 euid=103 suid=103 fsuid=103 egid=110 sgid=110 fsgid=110 tty=(none) ses=1 comm="check_disk" exe="/usr/lib64/nagios/plugins/check_disk" subj=system_u:system_r:nagios_checkdisk_plugin_t key=(null)

Reproducible: Always

Actual Results:  
/var is not accessable (plugin output)

Expected Results:  
The plugin is suposed to be able to take a dir as an argument, but selinux blocks that.  If I set it to the block device it works.
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-15 08:46:05 UTC 
If you 

  allow nagios_checkdisk_plugin_t var_t:dir { getattr };

is that sufficient to get that working for the /var location?

To make it a more "complete" solution then, try

~# cat testmod.te
policy_module(testmod, 1.0)

require {
  type nagios_checkdisk_plugin_t;
}

files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)

~# make -f /usr/share/selinux/strict/include/Makefile testmod.pp
~# semodule -i testmod.pp

That should allow getattr on all types that are identified as mountpoints. If you have a location that is a separate file system, but that isn't marked as a mountpoint yet, add

typeattribute <type> mountpoint

in the definition. For instance, for /usr/portage on a separate partition, you'll have

typeattribute portage_ebuild_d mountpoint;
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-16 15:51:10 UTC 
That works.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-16 21:36:29 UTC 
Will be in -r2
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-19 20:53:36 UTC 
In hardened-dev overlay now
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-29 09:15:18 UTC 
In portage tree (~arch)