From: gereon.kremer@cs.rwth-aachen.de (Gereon Kremer)
Date: Wed, 21 May 2014 13:30:14 +0200
Subject: [refpolicy] Using nagios with SELinux on Debian
Message-ID: <537C8E46.8040407@cs.rwth-aachen.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi all,

I'm trying to use nagios on a debian with SELinux.
Although there is a nagios policy, there are various avc denials, mostly
plugins that are denied to access /var/lib/nagios3/spool/

I looked through the nagios policy and it seems that some things are
just incomplete:
There are several classes of plugins (admin, checkdisk, mail. services,
system, unconfined) but they all try to access the same spool folder and
there are no rules to allow this access: Neither rules that allow all
plugins to access a specific file class, nor a rule that labels the
spool folder. (there is a rule for /var/spool/nagios3/, but this folder
does not exist on my machine...)
Also, the webserver (apache in my case) tries to access cache files
which is not allows by the nagios policy...

What is the status of this policy? Should it actually work? Or is it
just broken for debian?

-- 
Gereon Kremer
Lehr- und Forschungsgebiet Theorie Hybrider Systeme
RWTH Aachen
Tel: +49 241 80 21243