From: debian@mikapflueger.de (Mika =?ISO-8859-1?B?UGZs/Gdlcg==?=) Date: Wed, 21 May 2014 15:32:15 +0200 Subject: [refpolicy] Using nagios with SELinux on Debian In-Reply-To: <537C8E46.8040407@cs.rwth-aachen.de> References: <537C8E46.8040407@cs.rwth-aachen.de> Message-ID: <20140521153215.4caaa1f9@george.anarkia> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, Gereon Kremer wrote: > I'm trying to use nagios on a debian with SELinux. > Although there is a nagios policy, there are various avc denials, > mostly plugins that are denied to access /var/lib/nagios3/spool/ > > I looked through the nagios policy and it seems that some things are > just incomplete: > There are several classes of plugins (admin, checkdisk, mail. > services, system, unconfined) but they all try to access the same > spool folder and there are no rules to allow this access: Neither > rules that allow all plugins to access a specific file class, nor a > rule that labels the spool folder. (there is a rule > for /var/spool/nagios3/, but this folder does not exist on my > machine...) Also, the webserver (apache in my case) tries to access > cache files which is not allows by the nagios policy... > > What is the status of this policy? Should it actually work? Or is it > just broken for debian? Your analysis is most likely correct; there are quite some bugs in the debian policy and refpolicy. If you want to chase them, it is always helpful to check the differences between debian policy [1], upstream refpolicy [2] and fedora policy [3], often fedora already contains fixes which could be polished + pushed upstream from where they'll tickle down into the debian policy. If you don't intent to chase the policy bugs yourself you can also report a bug against the debian refpolicy package, but at the moment we (the debian selinux team) have some more pressing issues, so a bug about nagios might take us a release or two (yes, that's 5 years) until we get around to looking at it if it doesn't come with patches. Cheers, Mika [1] git://anonscm.debian.org/selinux/refpolicy.git [2] http://oss.tresys.com/git/refpolicy.git [3] http://git.fedorahosted.org/git/selinux-policy.git -- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140521/3801b1ad/attachment.bin