Bug 1123574

Summary: [SELinux] [RHSC] PNP4Nagios AVC denial - RHEL-7.2
Product: Red Hat Enterprise Linux 7 Reporter: Erinn Looney-Triggs <erinn.looneytriggs>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 7.0CC: affix, jherrman, jkurik, jose.p.oliveira.oss, knarra, lemenkov, linux, lvrabec, mgrepl, mmalik, ondrejj, plautrba, pprakash, pvrabec, sgraf, shawn.starr, ssekidde, s
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-27.el7 Doc Type: Bug Fix
Doc Text:
When running the Nagios application with the PNP4Nagios module, PNP4Nagios failed to load. With this update, the nagios_run_pnp4nagios Boolean has been introduced to allow Nagios to execute files in the /var/log/nagios/spool/checkresults directory, and PNP4Nagios now loads as expected.
 Story Points: ---
Clone Of:
: 1230292 1238966 (view as bug list) Environment:
Last Closed: 2015-11-19 10:22:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1169221, 1212796, 1230292, 1238966    
Attachments:
Description Flags
pnp4nagios avcs permissive none

Description Erinn Looney-Triggs 2014-07-26 19:07:20 UTC 
Description of problem:
When running Nagios in conjunction with PNP4Nagios the following occurs:

node=example.com type=SYSCALL msg=audit(1406400987.278:12473): arch=c000003e syscall=9 success=yes exit=140132391223296 a0=0 a1=204190 a2=5 a3=802 items=0 ppid=27618 pid=27626 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="nagios" exe="/usr/sbin/nagios" subj=system_u:system_r:nagios_t:s0 key=(null)
node=example.com type=AVC msg=audit(1406400987.278:12473): avc:  denied  { execute } for  pid=27626 comm="nagios" path="/var/log/nagios/spool/checkresults/nebmod3FcbjN" dev="dm-3" ino=50331818 scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-153.el7_0.10.noarch


Needs: allow nagios_t nagios_log_t:file execute;

This causes the PNP4Nagios module to fail to load, and as such no pretty graphs.
Comment 2 Miroslav Grepl 2014-09-01 10:39:38 UTC 
Does this executable need to be located in /var/log?
Comment 3 Stanislav Graf 2015-04-20 07:44:49 UTC 
Created attachment 1016249 [details]
pnp4nagios avcs permissive
Comment 4 Stanislav Graf 2015-04-20 07:46:40 UTC 
We see the issue also on RHEL6 with selinux-policy-3.7.19-260.el6_6.2, see attachment 1016249 [details] for avcs in permissive mode.
Comment 19 Milos Malik 2015-06-12 13:46:25 UTC 
# rpm -qa selinux-policy\*
selinux-policy-mls-3.13.1-27.el7.noarch
selinux-policy-sandbox-3.13.1-27.el7.noarch
selinux-policy-minimum-3.13.1-27.el7.noarch
selinux-policy-targeted-3.13.1-27.el7.noarch
selinux-policy-doc-3.13.1-27.el7.noarch
selinux-policy-3.13.1-27.el7.noarch
selinux-policy-devel-3.13.1-27.el7.noarch
# sesearch -s nagios_t -t nagios_var_lib_t -c dir -p create -D

# sesearch -s nagios_t -t nagios_var_lib_t -c dir -p create -A

#
Comment 20 RamaKasturi 2015-06-15 07:13:43 UTC 
Hi Milos,

   I am seeing another avc with nagios on RHEL 7.1.Here is the avc.

#============= syslogd_t ==============
allow syslogd_t nagios_unconfined_plugin_exec_t:file execute;

#============= nrpe_t ==============
allow nrpe_t device_t:sock_file write;



Attached the logs in the link below.

http://rhsqe-repo.lab.eng.blr.redhat.com/sosreports/rhsc/1123574/
Comment 21 Milos Malik 2015-06-15 07:35:11 UTC 
Please install selinux-policy-3.13.1-27.el7. It fixes a regression introduced by selinux-policy-3.13.1-26.el7 (BZ#1230932).
Comment 25 Stanislav Graf 2015-06-24 19:21:57 UTC 
I've retested today with
selinux-policy-targeted-3.13.1-29.el7.noarch

All works as expected. I saw one new nrpe related issue on one of RHEL6 nodes, created Bug 1235405.

I had following booleans status on nagios server node:
nagios_run_pnp4nagios --> on
nagios_run_sudo --> on

and following on monitored node:
nagios_run_pnp4nagios --> off
nagios_run_sudo --> on
Comment 31 errata-xmlrpc 2015-11-19 10:22:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html