Bug 1123574
Summary: | [SELinux] [RHSC] PNP4Nagios AVC denial - RHEL-7.2 | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Erinn Looney-Triggs <erinn.looneytriggs> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.0 | CC: | affix, jherrman, jkurik, jose.p.oliveira.oss, knarra, lemenkov, linux, lvrabec, mgrepl, mmalik, ondrejj, plautrba, pprakash, pvrabec, sgraf, shawn.starr, ssekidde, s | ||||
Target Milestone: | rc | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-27.el7 | Doc Type: | Bug Fix | ||||
Doc Text: |
When running the Nagios application with the PNP4Nagios module, PNP4Nagios failed to load. With this update, the nagios_run_pnp4nagios Boolean has been introduced to allow Nagios to execute files in the /var/log/nagios/spool/checkresults directory, and PNP4Nagios now loads as expected.
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 1230292 1238966 (view as bug list) | Environment: | |||||
Last Closed: | 2015-11-19 10:22:27 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1169221, 1212796, 1230292, 1238966 | ||||||
Attachments: |
|
Description
Erinn Looney-Triggs
2014-07-26 19:07:20 UTC
Does this executable need to be located in /var/log? Created attachment 1016249 [details]
pnp4nagios avcs permissive
We see the issue also on RHEL6 with selinux-policy-3.7.19-260.el6_6.2, see attachment 1016249 [details] for avcs in permissive mode.
# rpm -qa selinux-policy\* selinux-policy-mls-3.13.1-27.el7.noarch selinux-policy-sandbox-3.13.1-27.el7.noarch selinux-policy-minimum-3.13.1-27.el7.noarch selinux-policy-targeted-3.13.1-27.el7.noarch selinux-policy-doc-3.13.1-27.el7.noarch selinux-policy-3.13.1-27.el7.noarch selinux-policy-devel-3.13.1-27.el7.noarch # sesearch -s nagios_t -t nagios_var_lib_t -c dir -p create -D # sesearch -s nagios_t -t nagios_var_lib_t -c dir -p create -A # Hi Milos, I am seeing another avc with nagios on RHEL 7.1.Here is the avc. #============= syslogd_t ============== allow syslogd_t nagios_unconfined_plugin_exec_t:file execute; #============= nrpe_t ============== allow nrpe_t device_t:sock_file write; Attached the logs in the link below. http://rhsqe-repo.lab.eng.blr.redhat.com/sosreports/rhsc/1123574/ Please install selinux-policy-3.13.1-27.el7. It fixes a regression introduced by selinux-policy-3.13.1-26.el7 (BZ#1230932). I've retested today with selinux-policy-targeted-3.13.1-29.el7.noarch All works as expected. I saw one new nrpe related issue on one of RHEL6 nodes, created Bug 1235405. I had following booleans status on nagios server node: nagios_run_pnp4nagios --> on nagios_run_sudo --> on and following on monitored node: nagios_run_pnp4nagios --> off nagios_run_sudo --> on Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |