Without the getattr privilege on the mountpoint directories, the checkdisk
plugin fails to capture the data unless nagios is reconfigured to directly
read the device files themselves.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/nagios.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 758c522..b7dbb1a 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -310,6 +310,7 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
--
1.7.3.4
On 08/23/11 06:46, Sven Vermeulen wrote:
> Without the getattr privilege on the mountpoint directories, the checkdisk
> plugin fails to capture the data unless nagios is reconfigured to directly
> read the device files themselves.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/services/nagios.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
> index 758c522..b7dbb1a 100644
> --- a/policy/modules/services/nagios.te
> +++ b/policy/modules/services/nagios.te
> @@ -310,6 +310,7 @@ optional_policy(`
> # needed by ioctl()
> allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
>
> +files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
> files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
>
> fs_getattr_all_fs(nagios_checkdisk_plugin_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com