Am Mittwoch, den 16.02.2011, 19:42 +0100 schrieb Christoph Maser: > Am Dienstag, den 11.01.2011, 23:40 +0100 schrieb Pavel Kankovsky: > > On Wed, 5 Jan 2011, Scott Reese wrote: > > > > > Since the files aren't where the SELinux policy expects them to be, it > > > generates denials and Nagios doesn't work. > > > > Denials are caused by incorrect contexts. And contexts are not initialized > > correctly because files and directories are not at expected places. > > > > Missing file context rules can be added with "semanage fcontext" and > > existing files and directories relabeled with "fixfiles restore". > > > > Anyway, the easiest solution would probably be to change the package > > layout to follow FHS, as expected by the standard policy and its file > > context rules. > > Yes there are some improvements to be done but the policy shipped in > rehel 5 certainly is also incomplete. Its missing /var/run/nagios.* > and /var/spool/nagios(/.*)? in the file context. Wich means that a) > nagios has to be started as root to create the pid file. Yes I know > nagio drops privileges, but it reads the config before dropping privs on > startup. If the permissions are wrong on the configs a runtime config > reload can cause failures > b) checkresultdir has to be under /var/log but it should be > under /var/spool. > > So, what do we do? And btw. newer releases of selinux-policies have that > fixed (e.g. in fedora 14). That means another bunch of conditionals in > the spec :(
I have to correct myself, actually /var/spool/nagios is in the policy. I did only look at the source files of selinux-policy but there is also a huge patch in that package wich includes a lot of nagios policy changes. But I did identify a few problems with the nagios policy module as shipped in C5: - init script: it is possible to start nagios as root or nagios user on the command line but not using the init script. the init script is context initrc_exec_t and that context is not allowed - pid file: actually nagios drops its privs before writing the pid file, so the init script can not be in /var/run. workaround: put the pid file under /var/log/nagios - command file: by default nagios installs the command file in $LOGDIR/rw wich would be /var/log/nagios/rw but fifo access for httpd_nagios_script_t is only allowed for /var/spool/nagios. Setting $LOGDIR to /var/spool/nagios is not a solution since that breaks a lot of other policies. workaround: patch Makefiles so the command file location can be set seperatley I will try to fix the last 2 ones, but I have no idea how to deal with the init script. Does anyone have an idea how to deal with it? Chris _______________________________________________ users mailing list [email protected] http://lists.rpmforge.net/mailman/listinfo/users
