Bug 1015708

Summary: /usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432
Product: Red Hat Enterprise Linux 6 Reporter: Robert Scheck <redhat-bugzilla>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, lvrabec, mmalik, mthapa, robert.scheck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-240.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1250667 (view as bug list) Environment:
Last Closed: 2014-10-14 07:57:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1250667    

Description Robert Scheck 2013-10-04 21:29:55 UTC
Description of problem:
/usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432
due to the SELinux policy.

Version-Release number of selected component (if applicable):
nagios-plugins-pgsql-1.4.16-5.el6.x86_64
selinux-policy-3.7.19-195.el6_4.12.noarch

How reproducible:
Everytime, just set up Nagios with check_pgsql to access PostgreSQL via
socket. Nagios check is simply containing:

  command_line    $USER1$/check_pgsql -l $ARG1$ -d $ARG2$

where '$ARG1$' is 'postgres' and '$ARG2$' is 'template1'. This of course is
requiring PostgreSQL to be configured accordingly.

Actual results:
/usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432

Expected results:
/usr/lib64/nagios/plugins/check_pgsql has access to /tmp/.s.PGSQL.5432

Additional info:
allow nagios_t postgresql_tmp_t:sock_file write;
allow nagios_t postgresql_t:unix_stream_socket connectto;
allow nagios_services_plugin_t postgresql_tmp_t:sock_file write;
allow nagios_services_plugin_t postgresql_t:unix_stream_socket connectto;

Comment 1 Robert Scheck 2013-10-04 21:31:26 UTC
Cross-filed ticket #00955666 on the Red Hat customer portal.

Comment 4 Lukas Vrabec 2014-07-04 10:03:10 UTC
patch sent.

Comment 8 errata-xmlrpc 2014-10-14 07:57:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html

Comment 9 Robert Scheck 2014-10-17 16:59:41 UTC
I am sorry, I disagree: selinux-policy-3.7.19-260.el6.noarch together with
nagios-plugins-pgsql-1.4.16-10.el6.x86_64 lead to:

type=AVC msg=audit(1413440001.123:49): avc:  denied  { read } for  pid=7631 comm="check_pgsql" name="tmp" dev=sda2 ino=4194305 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1413440001.123:49): arch=x86_64 syscall=open success=no exit=EACCES a0=330b454f61 a1=0 a2=1b6 a3=0 items=0 ppid=7630 pid=7631 auid=4294967295 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=4294967295 comm=check_pgsql exe=/usr/lib64/nagios/plugins/check_pgsql subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)