Bug 1210380
| Summary: | SELinux prevents check_mailq from executing postfix when run via NRPE | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Nils Breunese <nils> |
| Component: | nagios-plugins | Assignee: | Sam Kottler <s> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel7 | CC: | cherdt, jose.p.oliveira.oss, lhh, linux, ondrejj, smooge, s |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | nagios-plugins-2.2.1-3git.fc24 nagios-plugins-2.2.1-4git.fc26 nagios-plugins-2.2.1-4git.el7 nagios-plugins-2.2.1-3git.fc25 nagios-plugins-2.2.1-4git.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-07-23 21:51:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I just updated to nagios-plugins-mailq-2.1.4-2.el7.x86_64, but this problem still exists. Although now the SELinux AVC Alert mentions check_mailq instead of perl:
----
SELinux is preventing check_mailq from getattr access on the file /usr/sbin/postfix.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that check_mailq should be allowed getattr access on the postfix file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'check_mailq' --raw | audit2allow -M my-checkmailq
# semodule -i my-checkmailq.pp
Additional Information:
Source Context system_u:system_r:nagios_mail_plugin_t:s0
Target Context system_u:object_r:postfix_master_exec_t:s0
Target Objects /usr/sbin/postfix [ file ]
Source check_mailq
Source Path check_mailq
Port <Unknown>
Host vs-monitoring-01.vpro.nl
Source RPM Packages
Target RPM Packages postfix-2.10.1-6.el7.x86_64
Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name vs-monitoring-01.vpro.nl
Platform Linux vs-monitoring-01.vpro.nl
3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6
23:06:41 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2017-01-04 16:18:10 CET
Last Seen 2017-01-04 16:18:10 CET
Local ID 4a27230d-4889-4291-9ff7-8523505c5709
Raw Audit Messages
type=AVC msg=audit(1483543090.934:49177): avc: denied { getattr } for pid=6453 comm="check_mailq" path="/usr/sbin/postfix" dev="dm-1" ino=659626 scontext=system_u:system_r:nagios_mail_plugin_t:s0 tcontext=system_u:object_r:postfix_master_exec_t:s0 tclass=file
Hash: check_mailq,nagios_mail_plugin_t,postfix_master_exec_t,file,getattr
----
I am the new nagios maintainer. I am going to see what I can do about getting this looked at. Due to rules with selinux polices, I may only be able to ship rules in the rpm that could be added by the sysadmin. [The reason is that selinux policy is set in RHEL and not in the package.] nagios-plugins-2.2.1-2git.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30 nagios-plugins-2.2.1-2git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-62fe0218d0 nagios-plugins-2.2.1-2git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30 nagios-plugins-2.2.1-3git.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9 nagios-plugins-2.2.1-3git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9 nagios-plugins-2.2.1-3git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4b1c55c024 nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6401b28fc4 nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8d031793bf nagios-plugins-2.2.1-3git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a5f81422dc nagios-plugins-2.2.1-4git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3 nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3 nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-8973027f42 nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-87ebfdc686 nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. This is still an issue with 2.2.1-4git.el7.
The check_mailq plugin is successful, but the AVC messages still appear in the audit logs:
type=AVC msg=audit(1515007542.005:533): avc: denied { getattr } for pid=8715 comm="check_mailq" path="/usr/sbin/postfix" dev="dm-0" ino=494570 scontext=system_u:system_r:nagios_mail_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_master_exec_t:s0 tclass=file
When I specify the MTA in the NRPE command definition, e.g.: command[check_mailq]=/usr/lib64/nagios/plugins/check_mailq -w 5 -c 10 -M postfix the AVC messages no longer appear in the audit logs. What was the previous configuration.. I don't see it listed in the ticket before (probably missing the obvious). |
Description of problem: After upgrading to EL 7.1 I got the following AVC: ---- SELinux is preventing /usr/bin/perl from getattr access on the file /usr/sbin/postfix. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that perl should be allowed getattr access on the postfix file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep check_mailq /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:nagios_mail_plugin_t:s0 Target Context system_u:object_r:postfix_master_exec_t:s0 Target Objects /usr/sbin/postfix [ file ] Source check_mailq Source Path /usr/bin/perl Port <Unknown> Host vs-repository-01.vpro.nl Source RPM Packages perl-5.16.3-285.el7.x86_64 Target RPM Packages postfix-2.10.1-6.el7.x86_64 Policy RPM selinux-policy-3.13.1-23.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name vs-repository-01.vpro.nl Platform Linux vs-repository-01.vpro.nl 3.10.0-229.1.2.el7.x86_64 #1 SMP Fri Mar 27 03:04:26 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-04-09 16:14:36 CEST Last Seen 2015-04-09 16:14:36 CEST Local ID e58747c1-bf32-4a38-812d-a3615a8f6f83 Raw Audit Messages type=AVC msg=audit(1428588876.144:78): avc: denied { getattr } for pid=12350 comm="check_mailq" path="/usr/sbin/postfix" dev="dm-1" ino=659626 scontext=system_u:system_r:nagios_mail_plugin_t:s0 tcontext=system_u:object_r:postfix_master_exec_t:s0 tclass=file type=SYSCALL msg=audit(1428588876.144:78): arch=x86_64 syscall=stat success=no exit=EACCES a0=1dcbe90 a1=1c82138 a2=1c82138 a3=48 items=0 ppid=12349 pid=12350 auid=4294967295 uid=995 gid=993 euid=995 suid=995 fsuid=995 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=check_mailq exe=/usr/bin/perl subj=system_u:system_r:nagios_mail_plugin_t:s0 key=(null) Hash: check_mailq,nagios_mail_plugin_t,postfix_master_exec_t,file,getattr ---- Version-Release number of selected component (if applicable): nagios-plugins-mailq-2.0.1-1.el7.x86_64 How reproducible: Always. Steps to Reproduce: 1. Configure Nagios to run check_mailq on a remote host via NRPE Actual results: No SELinux AVC logged. Expected results: SELinux AVC logged, see description above.