Bug 1198436

Summary: [SELinux] [Nagios] Selinux blocks gluster-nagios plugins in the nagios server - RHEL-6.7
Product: Red Hat Enterprise Linux 6 Reporter: Timothy Asir <tjeyasin>
Component: selinux-policyAssignee: Simon Sekidde <ssekidde>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.8CC: dpati, dwalsh, jkurik, knarra, lvrabec, mgrepl, mmalik, plautrba, pprakash, pvrabec, rcyriac, sabose, salmy, sgraf, ssekidde, tjeyasin
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-268.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1222493 (view as bug list) Environment:
Last Closed: 2015-07-22 07:12:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1169221, 1212796, 1222493    
Attachments:
Description Flags
avc from gluster server (nagios client)
none
avc from nagios server
none
avc from gluster server (nagios client) permissive
none
avc from nagios server permissive none

Description Timothy Asir 2015-03-04 06:53:43 UTC 
Description of problem:
Selinux blocks gluster-nagios plugins in the nagios server.

How reproducible:
Always

Steps to Reproduce:
1) Install gluster nagios server and add few glusterfs node and configure
manually or using auto discovery script in an selinux enabled system.
   One can use the following steps to quickly create the environment.
    i) Install gluster-nagios-common and nagios-server-addons in nagios-server
   ii) Add nagios server ip address into allowed_host entry in every
       gluster node(s) in /etc/nagios/nrpe.cfg
2) Create few gluster volumes in the nodes
3) Configure the plugins. One can run auto discovery script to configure 
   automatically. Script file: /usr/lib64/nagios/plugins/gluster/discovery.py
4) Check for Volume Status and Volume Utilization

Actual results:
Status information of the plugin services shows null. 

Expected results:
It should display the actual status and utilization of the volume.

Additional info:
It works when we enable the selinux policy in the server as follows:

module mypol 1.0;

require {
        type nagios_log_t;
        type hostname_exec_t;
        type glusterd_t;
        type glusterd_var_lib_t;
        type nagios_t;
        type tmp_t;
        type logrotate_t;
        type nrpe_t;
        type sudo_exec_t;
        type virt_cache_t;
        class dir read;
        class key { write setattr };
        class file { execute getattr execute_no_trans };
}

#============= glusterd_t ==============

#!!!! This avc is allowed in the current policy
allow glusterd_t glusterd_var_lib_t:file { execute execute_no_trans };

#!!!! This avc is allowed in the current policy
allow glusterd_t hostname_exec_t:file { execute execute_no_trans };

#============= logrotate_t ==============
allow logrotate_t virt_cache_t:dir read;

#============= nagios_t ==============
allow nagios_t nagios_log_t:file execute;

#!!!! This avc is allowed in the current policy
allow nagios_t sudo_exec_t:file getattr;

#============= nrpe_t ==============
allow nrpe_t self:key { write setattr };
allow nrpe_t tmp_t:dir read;
Comment 2 Milos Malik 2015-03-10 10:28:27 UTC 
Could you provide the list of denials?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today
Comment 4 Miroslav Grepl 2015-04-03 09:31:56 UTC 
What does

$ matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py

on your system?
Comment 5 Miroslav Grepl 2015-04-03 09:32:10 UTC 
*** Bug 1198439 has been marked as a duplicate of this bug. ***
Comment 6 Stanislav Graf 2015-04-03 10:50:37 UTC 
Created attachment 1010595 [details]
avc from gluster server (nagios client)
Comment 7 Stanislav Graf 2015-04-03 10:51:04 UTC 
Created attachment 1010596 [details]
avc from nagios server
Comment 8 Stanislav Graf 2015-04-03 10:52:54 UTC 
gluster server
--------------
# matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py
/usr/lib64/nagios/plugins/gluster/discovery.py	system_u:object_r:nagios_unconfined_plugin_exec_t:s0
# rpm -qa 'selinux*' |sort
selinux-policy-3.7.19-260.el6_6.2.noarch
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch

nagios server
-------------
# matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py
/usr/lib64/nagios/plugins/gluster/discovery.py	system_u:object_r:nagios_unconfined_plugin_exec_t:s0
# rpm -qa 'selinux*' |sort
selinux-policy-3.7.19-260.el6_6.2.noarch
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch
Comment 9 Miroslav Grepl 2015-04-12 09:21:36 UTC 
Could you please add AVC msgs from permissive mode?
Comment 10 Miroslav Grepl 2015-04-12 09:23:28 UTC 
Also could we label

/var/lib/glusterd/hooks/1/set/post/S30samba-set.sh

as bin_t. 

Is /var/lib/glusterd/hooks writeable by glusterd?
Comment 11 Sahina Bose 2015-04-17 06:33:32 UTC 
/var/lib/glusterd/hooks/ - is not related to the gluster-nagios rpms, but glusterfs rpms. So this is mostly part of a different bug?
Comment 12 Stanislav Graf 2015-04-20 07:28:37 UTC 
Created attachment 1016244 [details]
avc from gluster server (nagios client) permissive
Comment 13 Stanislav Graf 2015-04-20 07:29:07 UTC 
Created attachment 1016245 [details]
avc from nagios server permissive
Comment 14 Stanislav Graf 2015-04-20 07:31:25 UTC 
avc from gluster server (nagios client) permissive
--------------------------------------------------
# ausearch -m avc -m user_avc -m selinux_err -i -ts today | audit2allow 


#============= nrpe_t ==============
allow nrpe_t self:key { write setattr };



avc from nagios server permissive
---------------------------------
# ausearch -m avc -m user_avc -m selinux_err -i -ts today | audit2allow 


#============= nagios_t ==============
allow nagios_t nagios_log_t:file execute;
allow nagios_t self:capability { sys_resource sys_ptrace audit_write };
allow nagios_t self:key write;
allow nagios_t self:netlink_audit_socket { nlmsg_relay create };
allow nagios_t self:process { setsched setrlimit };
allow nagios_t sudo_exec_t:file { read getattr open execute execute_no_trans };
Comment 15 Milos Malik 2015-04-20 08:58:52 UTC 
We changed the label on following files and the problem (nrpe executes a script and the script executes sudo which generates AVCs) went away:

# cd /usr/lib64/nagios/plugins
# chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh
Comment 16 Miroslav Grepl 2015-04-22 09:15:13 UTC 
(In reply to Milos Malik from comment #15)
> We changed the label on following files and the problem (nrpe executes a
> script and the script executes sudo which generates AVCs) went away:
> 
> # cd /usr/lib64/nagios/plugins
> # chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh

Ok are these scripts called by nagios by default?
Comment 17 Miroslav Grepl 2015-04-22 12:51:38 UTC 
Ok we have

/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins/urlize  --  gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins/utils.pm  --  gen_context(system_u:object_r:bin_t,s0)
Comment 18 Milos Malik 2015-04-22 14:58:49 UTC 
additional information to comment#10:

# ls -l /var/lib/glusterd/hooks/1/set/post/
total 12
-rwxr--r--. 1 root root 4010 Mar 18 12:32 S30samba-set.sh
-rwxr--r--. 1 root root 7927 Mar 18 12:32 S31ganesha-set.sh
# rpm -qf /var/lib/glusterd/hooks/1/set/post/*
glusterfs-server-3.6.0.53-1.el6rhs.x86_64
glusterfs-server-3.6.0.53-1.el6rhs.x86_64
#
Comment 19 Miroslav Grepl 2015-05-13 14:57:56 UTC 
(In reply to Milos Malik from comment #15)
> We changed the label on following files and the problem (nrpe executes a
> script and the script executes sudo which generates AVCs) went away:
> 
> # cd /usr/lib64/nagios/plugins
> # chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh

Not sure if it is a correct solution. These scripts are not plugins.

We probably will need to add 

nagios_run_sudo

boolean.
Comment 22 Miroslav Grepl 2015-05-19 10:28:19 UTC 
commit 4b8ebda67993924d12bd39131846124ac67bef61
Author: Miroslav Grepl <mgrepl>
Date:   Tue May 19 12:19:41 2015 +0200

    Update nagios_run_sudo boolean to allow run chkpwd.
Comment 23 Miroslav Grepl 2015-05-19 13:26:15 UTC 
Could you please test it with

https://brewweb.devel.redhat.com/taskinfo?taskID=9198180
Comment 26 Stanislav Graf 2015-05-21 09:55:06 UTC 
Retested both Bug 1198436 and Bug 1113481.

I had following configuration on Nagios server and client / monitored node:
# getenforce
Enforcing
# getsebool nagios_run_sudo
nagios_run_sudo --> on
# rpm -qa 'selinux-policy*'
selinux-policy-targeted-3.7.19-268.el6.noarch
selinux-policy-3.7.19-268.el6.noarch

All works as expected. This selinux-policy build (together with nagios_run_sudo boolean) fixes the issue for RH-Gluster + Nagios usecase.

To accomodate new Selinux boolean into our workflow, I've created Bug 1223710.
Comment 29 errata-xmlrpc 2015-07-22 07:12:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html