Bug 1198439
| Summary: | [Gluster] Selinux blocks execution of gluster-nagios plugins in the glusterfs node | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Timothy Asir <tjeyasin> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.8 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pprakash, pvrabec, rcyriac, sabose, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-04-03 09:32:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1169221 | ||
*** This bug has been marked as a duplicate of bug 1198436 *** Hi Miroslav, This bug is to do with SELinux issues on the gluster node running the nrpe and nsca plugins, whereas Bug 1198436 is to do with issues on Nagios server. Would both these issues be fixed with the same policy? |
Description of problem: Selinux blocks execution of gluster-nagios plugins in the glusterfs node Steps to Reproduce: 1. In the gluster-nagios server and glusterfs nodes installed setup, create a gluster volume and set cluster.server-quorum-type to server 2. bring down one node and check for Cluster-Quorum passive check service status information. Actual results: Its just displays "OK" in an selinux enabled system. Expected results: It should display an appropriate message when all the nodes are down or some nodes or up. Additional info: type=AVC msg=audit(1425377014.260:527): avc: denied { name_connect } for pid=4416 comm="send_nsca" dest=5667 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1425377014.260:527): arch=c000003e syscall=42 success=yes exit=0 a0=1 a1=7fffe7a9fdc0 a2=10 a3=1999999999999999 items=0 ppid=4407 pid=4416 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="send_nsca" exe="/usr/sbin/send_nsca" subj=system_u:system_r:syslogd_t:s0 key=(null) It works for us when we enable the selinux policy using the following selinux policy: module nsca 1.0; require { type syslogd_t; type port_t; class tcp_socket name_connect; } #============= syslogd_t ============== #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow syslogd_t port_t:tcp_socket name_connect;