Bug 1198436
Summary: | [SELinux] [Nagios] Selinux blocks gluster-nagios plugins in the nagios server - RHEL-6.7 | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Timothy Asir <tjeyasin> | ||||||||||
Component: | selinux-policy | Assignee: | Simon Sekidde <ssekidde> | ||||||||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||||||
Severity: | high | Docs Contact: | |||||||||||
Priority: | high | ||||||||||||
Version: | 6.8 | CC: | dpati, dwalsh, jkurik, knarra, lvrabec, mgrepl, mmalik, plautrba, pprakash, pvrabec, rcyriac, sabose, salmy, sgraf, ssekidde, tjeyasin | ||||||||||
Target Milestone: | rc | Keywords: | ZStream | ||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | selinux-policy-3.7.19-268.el6 | Doc Type: | Bug Fix | ||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | |||||||||||||
: | 1222493 (view as bug list) | Environment: | |||||||||||
Last Closed: | 2015-07-22 07:12:10 UTC | Type: | Bug | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | |||||||||||||
Bug Blocks: | 1169221, 1212796, 1222493 | ||||||||||||
Attachments: |
|
Description
Timothy Asir
2015-03-04 06:53:43 UTC
Could you provide the list of denials? # ausearch -m avc -m user_avc -m selinux_err -i -ts today What does $ matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py on your system? *** Bug 1198439 has been marked as a duplicate of this bug. *** Created attachment 1010595 [details]
avc from gluster server (nagios client)
Created attachment 1010596 [details]
avc from nagios server
gluster server -------------- # matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py /usr/lib64/nagios/plugins/gluster/discovery.py system_u:object_r:nagios_unconfined_plugin_exec_t:s0 # rpm -qa 'selinux*' |sort selinux-policy-3.7.19-260.el6_6.2.noarch selinux-policy-targeted-3.7.19-260.el6_6.2.noarch nagios server ------------- # matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py /usr/lib64/nagios/plugins/gluster/discovery.py system_u:object_r:nagios_unconfined_plugin_exec_t:s0 # rpm -qa 'selinux*' |sort selinux-policy-3.7.19-260.el6_6.2.noarch selinux-policy-targeted-3.7.19-260.el6_6.2.noarch Could you please add AVC msgs from permissive mode? Also could we label /var/lib/glusterd/hooks/1/set/post/S30samba-set.sh as bin_t. Is /var/lib/glusterd/hooks writeable by glusterd? /var/lib/glusterd/hooks/ - is not related to the gluster-nagios rpms, but glusterfs rpms. So this is mostly part of a different bug? Created attachment 1016244 [details]
avc from gluster server (nagios client) permissive
Created attachment 1016245 [details]
avc from nagios server permissive
avc from gluster server (nagios client) permissive -------------------------------------------------- # ausearch -m avc -m user_avc -m selinux_err -i -ts today | audit2allow #============= nrpe_t ============== allow nrpe_t self:key { write setattr }; avc from nagios server permissive --------------------------------- # ausearch -m avc -m user_avc -m selinux_err -i -ts today | audit2allow #============= nagios_t ============== allow nagios_t nagios_log_t:file execute; allow nagios_t self:capability { sys_resource sys_ptrace audit_write }; allow nagios_t self:key write; allow nagios_t self:netlink_audit_socket { nlmsg_relay create }; allow nagios_t self:process { setsched setrlimit }; allow nagios_t sudo_exec_t:file { read getattr open execute execute_no_trans }; We changed the label on following files and the problem (nrpe executes a script and the script executes sudo which generates AVCs) went away: # cd /usr/lib64/nagios/plugins # chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh (In reply to Milos Malik from comment #15) > We changed the label on following files and the problem (nrpe executes a > script and the script executes sudo which generates AVCs) went away: > > # cd /usr/lib64/nagios/plugins > # chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh Ok are these scripts called by nagios by default? Ok we have /usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/nagios/plugins/utils.pm -- gen_context(system_u:object_r:bin_t,s0) additional information to comment#10: # ls -l /var/lib/glusterd/hooks/1/set/post/ total 12 -rwxr--r--. 1 root root 4010 Mar 18 12:32 S30samba-set.sh -rwxr--r--. 1 root root 7927 Mar 18 12:32 S31ganesha-set.sh # rpm -qf /var/lib/glusterd/hooks/1/set/post/* glusterfs-server-3.6.0.53-1.el6rhs.x86_64 glusterfs-server-3.6.0.53-1.el6rhs.x86_64 # (In reply to Milos Malik from comment #15) > We changed the label on following files and the problem (nrpe executes a > script and the script executes sudo which generates AVCs) went away: > > # cd /usr/lib64/nagios/plugins > # chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh Not sure if it is a correct solution. These scripts are not plugins. We probably will need to add nagios_run_sudo boolean. commit 4b8ebda67993924d12bd39131846124ac67bef61 Author: Miroslav Grepl <mgrepl> Date: Tue May 19 12:19:41 2015 +0200 Update nagios_run_sudo boolean to allow run chkpwd. Could you please test it with https://brewweb.devel.redhat.com/taskinfo?taskID=9198180 Retested both Bug 1198436 and Bug 1113481. I had following configuration on Nagios server and client / monitored node: # getenforce Enforcing # getsebool nagios_run_sudo nagios_run_sudo --> on # rpm -qa 'selinux-policy*' selinux-policy-targeted-3.7.19-268.el6.noarch selinux-policy-3.7.19-268.el6.noarch All works as expected. This selinux-policy build (together with nagios_run_sudo boolean) fixes the issue for RH-Gluster + Nagios usecase. To accomodate new Selinux boolean into our workflow, I've created Bug 1223710. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1375.html |