Bug 1201054
| Summary: | [SELinux] [Nagios] SELinux blocks Nagios/NRPE plugins which use sudo - RHEL-7.2 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | James Ralston <ralston> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.1 | CC: | adam.winberg, lvrabec, mgrepl, mmalik, plautrba, pprakash, pvrabec, sgraf, skremen, ssekidde, tjeyasin | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-26.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1230299 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 10:28:44 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1169221, 1212796, 1230299 | |||
|
Description
James Ralston
2015-03-11 23:46:51 UTC
We rolled the following custom SELinux module to address these issues:
# Module name and version.
policy_module(nagios-local, 1.1.0)
# Type requires.
require {
type nrpe_t;
type sudo_exec_t;
}
# Permit NRPE to call sudo.
can_exec(nrpe_t, sudo_exec_t)
# Permit NRPE to send audit messages, via sudo.
allow nrpe_t self:capability { audit_write sys_ptrace };
allow nrpe_t self:netlink_audit_socket { create nlmsg_relay read write };
(We use this same policy module on both RHEL6 and RHEL7, so it's a superset of the permissions required on both.)
It would be really nice if you could fix the upstream policy, though, so we didn't have to resort to this work-around.
I would add a boolean for this. I believe that following files should not be labeled bin_t: /usr/lib64/nagios/plugins/negate /usr/lib64/nagios/plugins/urlize /usr/lib64/nagios/plugins/utils.sh In reply to Miroslav in comment 3: adding a boolean seems perfectly reasonable to me, as I can imagine that only a subset of Nagios/NRPE users need to call NRPE plugins via sudo. Any chance to test it with https://brewweb.devel.redhat.com/buildinfo?buildID=435085 We have some fixes but I am working on additional fixes now. *** Bug 1230670 has been marked as a duplicate of this bug. *** I've retested today with selinux-policy-targeted-3.13.1-29.el7.noarch All works as expected. I saw one new nrpe related issue on one of RHEL6 nodes, created Bug 1235405. I had following booleans status on nagios server node: nagios_run_pnp4nagios --> on nagios_run_sudo --> on and following on monitored node: nagios_run_pnp4nagios --> off nagios_run_sudo --> on Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |