Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...
|
Re: nagios_log_t missing: msg#00239
|
Subject: |
Re: nagios_log_t missing |
Farkas Levente wrote:
Daniel J Walsh wrote:
Farkas Levente wrote:
hi,
there is a nagios_log_t and used in nagios.fc but never defined
(missing). so when we try to apply it we got these errors:
---------------------------------------------
# chcon -R -t nagios_log_t /var/log/nagios
chcon: failed to change context of /var/log/nagios to
system_u:object_r:nagios_log_t: Invalid argument
chcon: failed to change context of /var/log/nagios/rw to
system_u:object_r:nagios_log_t: Invalid argument
chcon: failed to change context of /var/log/nagios/archives to
system_u:object_r:nagios_log_t: Invalid argument
chcon: failed to change context of /var/log/nagios/.bash_history to
user_u:object_r:nagios_log_t: Invalid argument
---------------------------------------------
how can i fix it?
dan could you create updated rpms which fix it in
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/ ?:-)
yours.
nagios policy is not used in RHEL4. It should run unconfined_t. We
are only supporting the subset of network daemons in targeted policy.
Using strict or other policies in RHEL4 requires a separate support
contract, professional services engagement.
ok. i only think that if nagios_log_t used in the current
selinux-policy-targeted than (in nagios.fc) than it should have to be
defined also. but it's definition currently missing from
selinux-policy-targeted, which is imho a bug. that's what i'd like to
report.
We do not strip out fc files that we do not support. The way the make
file and hence the RPM works is it looks for *.te files in the
domains/program directory and uses those names to choose the
file_context files. We want to use the same policy source pool to
supoort targeted, strict, mls ... policy. And therefore get the best
bang for the buck from the open source community. So think of the
policy-src files like you do kernel sources. Just because there is
stuff in there does not mean we support them.
another thing even if nagios run in unconfined_t is ok since the log
files can be generated and the daemon is running, but the web
interface of nagios not working since it's try to read it's log files
under /var/log/nagios which is currently var_log_t (inherited from
it's parent). so currently i've a few options:
- add a local.te as:
allow httpd_sys_script_t var_log_t:dir search;
allow httpd_sys_script_t var_log_t:file { getattr read };
- change /var/log/nagios to httpd_sys_content_t and add only
allow httpd_sys_script_t var_log_t:dir search;
- change /var/log/nagios to nagios_log_t and add
allow httpd_sys_script_t var_log_t:dir search;
allow httpd_sys_script_t nagios_log_t:file { getattr read };
and imho the best solution would be to add this last one to the global
policy.
yours.
How about adding
chcon -R -t httpd_sys_script_ro_t /var/log/nagios
Then you don't need to change policy at all
just my 2c.
--
|
| |
