Bug 1052740

Summary: SELinux is preventing check_log via NRPE from read and open var_log_t files
Product: [Fedora] Fedora EPEL Reporter: Magnus K Karlsson <magnus.r.karlsson>
Component: nagios-pluginsAssignee: Ohad Levy <ohadlevy>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: el6CC: jose.p.oliveira.oss, ohadlevy, ondrejj, redhat
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: nagios-plugins-2.2.1-3git.fc24 nagios-plugins-2.2.1-4git.fc26 nagios-plugins-2.2.1-4git.el7 nagios-plugins-2.2.1-3git.fc25 nagios-plugins-2.2.1-4git.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-23 21:50:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Magnus K Karlsson 2014-01-13 23:56:25 UTC 
Description of problem:
Getting SELinux alerts when calling check_log via NRPE.

Agent:
command[check_jboss_log]=/usr/lib64/nagios/plugins/check_log -F /var/log/jbossas/standalone/server.log -O /tmp/check_log.old -q WARN

Nagios Server:
sudo -u nagios /usr/lib64/nagios/plugins/check_nrpe -H 192.168.122.196 -c check_jboss_log

------------------------
/var/log/audit/audit.log
------------------------
type=AVC msg=audit(1389653788.715:23): avc:  denied  { read } for  pid=1240 comm="check_log" name="server.log" dev=dm-0 ino=527521 scontext=unconfined_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1389653788.715:23): arch=c000003e syscall=21 success=yes exit=0 a0=1763250 a1=4 a2=0 a3=8 items=0 ppid=1239 pid=1240 auid=0 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=1 comm="check_log" exe="/bin/bash" subj=unconfined_u:system_r:nagios_system_plugin_t:s0 key=(null)
type=AVC msg=audit(1389653788.724:24): avc:  denied  { open } for  pid=1246 comm="diff" name="server.log" dev=dm-0 ino=527521 scontext=unconfined_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1389653788.724:24): arch=c000003e syscall=2 success=yes exit=3 a0=7fff11524f22 a1=0 a2=0 a3=7fff11522c40 items=0 ppid=1240 pid=1246 auid=0 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=1 comm="diff" exe="/usr/bin/diff" subj=unconfined_u:system_r:nagios_system_plugin_t:s0 key=(null)

------------------------
/var/log/messages
------------------------
Jan 13 23:56:31 virtual1 setroubleshoot: SELinux is preventing /bin/bash from read access on the file server.log. For complete SELinux messages. run sealert -l b43a31aa-2e78-4c5b-a7a4-c45955579678
Jan 13 23:56:31 virtual1 setroubleshoot: SELinux is preventing /usr/bin/diff from open access on the file server.log. For complete SELinux messages. run sealert -l c4008235-bcfe-4fe2-8e84-c3093b0052f4

------------------------
# sealert -l b43a31aa-2e78-4c5b-a7a4-c45955579678
------------------------
SELinux is preventing /bin/bash from read access on the file server.log.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed read access on the server.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep check_log /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Set SELinux to Permissive

------------------------
# sealert -l c4008235-bcfe-4fe2-8e84-c3093b0052f4
------------------------
SELinux is preventing /usr/bin/diff from open access on the file server.log.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that diff should be allowed open access on the server.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep diff /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

------------------------
grep diff /var/log/audit/audit.log | audit2allow -M mycheck_log
------------------------
module mycheck_log 1.0;

require {
	type nagios_system_plugin_t;
	type var_log_t;
	class file read;
}

------------------------
grep check_log /var/log/audit/audit.log | audit2allow -M mydiff
------------------------
module mydiff 1.0;

require {
	type nagios_system_plugin_t;
	type var_log_t;
	class file open;
}

------------------------

Steps to Reproduce:
1. rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
2. yum install nagios-plugins-log-1.4.16-10.el6.x86_64
3. Configure check_log: command[check_jboss_log]=/usr/lib64/nagios/plugins/check_log -F /var/log/jbossas/standalone/server.log -O /tmp/check_log.old -q WARN
3. On client: setenforce Permissive
4. From Nagios Core Server: sudo -u nagios /usr/lib64/nagios/plugins/check_nrpe -H 192.168.122.196 -c check_jboss_log

Actual results:
Description of problem

Expected results:
SELinux Policy should handle var_log_t

Additional info:
# lsb_release -a
LSB Version:	:base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID:	RedHatEnterpriseServer
Description:	Red Hat Enterprise Linux Server release 6.5 (Santiago)
Release:	6.5
Codename:	Santiago

# uname -a
Linux virtual2.example.com 2.6.32-431.3.1.el6.x86_64 #1 SMP Fri Dec 13 06:58:20 EST 2013 x86_64 x86_64 x86_64 GNU/Linux

EPEL installation:
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Nagios NRPE RPM Installation:
nrpe.x86_64                            2.14-5.el6                          @epel

Nagios Core RPM Installation:
nagios.x86_64                      3.5.1-1.el6             @epel 

# diff nrpe.cfg nrpe.cfg.org 
81c81
< allowed_hosts=127.0.0.1,192.168.122.93
---
> allowed_hosts=127.0.0.1
138d137
< command[check_jboss_log]=/usr/lib64/nagios/plugins/check_log -F /var/log/jbossas/standalone/server.log -O /tmp/check_log.old -q WARN

# ll -Z /usr/lib64/nagios/plugins/check_log
-rwxr-xr-x. root root system_u:object_r:nagios_system_plugin_exec_t:s0 /usr/lib64/nagios/plugins/check_log
Comment 2 Fedora Update System 2017-07-03 20:55:02 UTC 
nagios-plugins-2.2.1-2git.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30
Comment 3 Fedora Update System 2017-07-06 02:48:34 UTC 
nagios-plugins-2.2.1-2git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-62fe0218d0
Comment 4 Fedora Update System 2017-07-06 02:49:49 UTC 
nagios-plugins-2.2.1-2git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30
Comment 5 Fedora Update System 2017-07-12 20:30:54 UTC 
nagios-plugins-2.2.1-3git.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9
Comment 6 Fedora Update System 2017-07-13 19:49:27 UTC 
nagios-plugins-2.2.1-3git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9
Comment 7 Fedora Update System 2017-07-13 19:50:29 UTC 
nagios-plugins-2.2.1-3git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4b1c55c024
Comment 8 Fedora Update System 2017-07-13 21:21:21 UTC 
nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6401b28fc4
Comment 9 Fedora Update System 2017-07-13 21:23:41 UTC 
nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8d031793bf
Comment 10 Fedora Update System 2017-07-13 23:53:50 UTC 
nagios-plugins-2.2.1-3git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a5f81422dc
Comment 11 Fedora Update System 2017-07-14 18:57:43 UTC 
nagios-plugins-2.2.1-4git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3
Comment 12 Fedora Update System 2017-07-16 21:21:00 UTC 
nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3
Comment 13 Fedora Update System 2017-07-23 04:18:23 UTC 
nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-8973027f42
Comment 14 Fedora Update System 2017-07-23 04:22:54 UTC 
nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-87ebfdc686
Comment 15 Fedora Update System 2017-07-23 21:50:56 UTC 
nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2017-08-03 15:52:33 UTC 
nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2017-08-09 15:22:32 UTC 
nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2017-08-09 19:56:49 UTC 
nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2017-08-10 06:19:51 UTC 
nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.