| Summary: | SELinux is preventing /usr/lib64/nagios/plugins/check_ping from using the sigkill access on a process | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4 | CC: | dwalsh, mmalik, robert.scheck, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-08 21:25:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Cross-filed ticket #00955664 on the Red Hat customer portal. Robert,
This should be fixed in the latest RHEL6 policy
allow nagios_plugin_domain nagios_t : process { sigchld sigkill sigstop signull signal } ;
Simon, since which version should this be fixed? Having here the latest RPM (selinux-policy-targeted-3.7.19-231.el6_5.3.noarch), but nothing is mentioned in changelog at all if I am not completely mistaken... (In reply to Robert Scheck from comment #5) > Simon, since which version should this be fixed? Having here the latest RPM > (selinux-policy-targeted-3.7.19-231.el6_5.3.noarch), but nothing is mentioned > in changelog at all if I am not completely mistaken... selinux-policy-3.7.19-231.el6.noarch Fixes are in the "policy-RHEL6.5.patch" file from the source RPM 257745 +allow nrpe_t nagios_plugin_domain:process { signal sigkill }; Thank you, the line is there indeed. |
Description of problem: Raw Audit Messages type=AVC msg=audit(1380800743.117:542452): avc: denied { sigkill } for pid=5139 comm="check_ping" scontext=unconfined_u:system_r:nagios_services_plugin_t:s0 tcontext=unconfined_u:system_r:nagios_t:s0 tclass=process type=SYSCALL msg=audit(1380800743.117:542452): arch=x86_64 syscall=kill success=yes exit=0 a0=0 a1=9 a2=1bf6500 a3=a392d393538382d items=0 ppid=5133 pid=5139 auid=0 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=21329 comm=check_ping exe=/usr/lib64/nagios/plugins/check_ping subj=unconfined_u:system_r:nagios_services_plugin_t:s0 key=(null) Version-Release number of selected component (if applicable): nagios-plugins-ping-1.4.16-5.el6.x86_64 selinux-policy-targeted-3.7.19-195.el6_4.12.noarch How reproducible: Everytime if you force DNS and network timeouts (e.g. by killing the default route or the DNS server thus it causes a timeout as in drop, not a reject). Nagios seems to kill its not responding child somewhen - and this fails due to the SELinux policy. Actual results: SELinux is preventing /usr/lib64/nagios/plugins/check_ping from using the sigkill access on a process Expected results: Personal expection would be that Nagios is allowed to kill its child process.