type=AVC msg=audit(1313354030.767:1459): avc: denied { getattr } for pid=31826 comm="check_disk" path="/var" dev=dm-3 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:var_t tclass=dir type=SYSCALL msg=audit(1313354030.767:1459): arch=c000003e syscall=4 success=no exit=-13 a0=742d4c3d7495 a1=e6f9f1b110 a2=e6f9f1b110 a3=4 items=0 ppid=31825 pid=31826 auid=0 uid=103 gid=110 euid=103 suid=103 fsuid=103 egid=110 sgid=110 fsgid=110 tty=(none) ses=1 comm="check_disk" exe="/usr/lib64/nagios/plugins/check_disk" subj=system_u:system_r:nagios_checkdisk_plugin_t key=(null) Reproducible: Always Actual Results: /var is not accessable (plugin output) Expected Results: The plugin is suposed to be able to take a dir as an argument, but selinux blocks that. If I set it to the block device it works.
If you allow nagios_checkdisk_plugin_t var_t:dir { getattr }; is that sufficient to get that working for the /var location? To make it a more "complete" solution then, try ~# cat testmod.te policy_module(testmod, 1.0) require { type nagios_checkdisk_plugin_t; } files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) ~# make -f /usr/share/selinux/strict/include/Makefile testmod.pp ~# semodule -i testmod.pp That should allow getattr on all types that are identified as mountpoints. If you have a location that is a separate file system, but that isn't marked as a mountpoint yet, add typeattribute <type> mountpoint in the definition. For instance, for /usr/portage on a separate partition, you'll have typeattribute portage_ebuild_d mountpoint;
That works.
Will be in -r2
In hardened-dev overlay now
In portage tree (~arch)
