Bug 1210380
Summary: | SELinux prevents check_mailq from executing postfix when run via NRPE | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Nils Breunese <nils> |
Component: | nagios-plugins | Assignee: | Sam Kottler <s> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | epel7 | CC: | cherdt, jose.p.oliveira.oss, lhh, linux, ondrejj, smooge, s |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | nagios-plugins-2.2.1-3git.fc24 nagios-plugins-2.2.1-4git.fc26 nagios-plugins-2.2.1-4git.el7 nagios-plugins-2.2.1-3git.fc25 nagios-plugins-2.2.1-4git.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-07-23 21:51:03 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nils Breunese
2015-04-09 14:47:15 UTC
I just updated to nagios-plugins-mailq-2.1.4-2.el7.x86_64, but this problem still exists. Although now the SELinux AVC Alert mentions check_mailq instead of perl: ---- SELinux is preventing check_mailq from getattr access on the file /usr/sbin/postfix. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that check_mailq should be allowed getattr access on the postfix file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'check_mailq' --raw | audit2allow -M my-checkmailq # semodule -i my-checkmailq.pp Additional Information: Source Context system_u:system_r:nagios_mail_plugin_t:s0 Target Context system_u:object_r:postfix_master_exec_t:s0 Target Objects /usr/sbin/postfix [ file ] Source check_mailq Source Path check_mailq Port <Unknown> Host vs-monitoring-01.vpro.nl Source RPM Packages Target RPM Packages postfix-2.10.1-6.el7.x86_64 Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name vs-monitoring-01.vpro.nl Platform Linux vs-monitoring-01.vpro.nl 3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6 23:06:41 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2017-01-04 16:18:10 CET Last Seen 2017-01-04 16:18:10 CET Local ID 4a27230d-4889-4291-9ff7-8523505c5709 Raw Audit Messages type=AVC msg=audit(1483543090.934:49177): avc: denied { getattr } for pid=6453 comm="check_mailq" path="/usr/sbin/postfix" dev="dm-1" ino=659626 scontext=system_u:system_r:nagios_mail_plugin_t:s0 tcontext=system_u:object_r:postfix_master_exec_t:s0 tclass=file Hash: check_mailq,nagios_mail_plugin_t,postfix_master_exec_t,file,getattr ---- I am the new nagios maintainer. I am going to see what I can do about getting this looked at. Due to rules with selinux polices, I may only be able to ship rules in the rpm that could be added by the sysadmin. [The reason is that selinux policy is set in RHEL and not in the package.] nagios-plugins-2.2.1-2git.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30 nagios-plugins-2.2.1-2git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-62fe0218d0 nagios-plugins-2.2.1-2git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30 nagios-plugins-2.2.1-3git.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9 nagios-plugins-2.2.1-3git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9 nagios-plugins-2.2.1-3git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4b1c55c024 nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6401b28fc4 nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8d031793bf nagios-plugins-2.2.1-3git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a5f81422dc nagios-plugins-2.2.1-4git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3 nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3 nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-8973027f42 nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-87ebfdc686 nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. This is still an issue with 2.2.1-4git.el7. The check_mailq plugin is successful, but the AVC messages still appear in the audit logs: type=AVC msg=audit(1515007542.005:533): avc: denied { getattr } for pid=8715 comm="check_mailq" path="/usr/sbin/postfix" dev="dm-0" ino=494570 scontext=system_u:system_r:nagios_mail_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_master_exec_t:s0 tclass=file When I specify the MTA in the NRPE command definition, e.g.: command[check_mailq]=/usr/lib64/nagios/plugins/check_mailq -w 5 -c 10 -M postfix the AVC messages no longer appear in the audit logs. What was the previous configuration.. I don't see it listed in the ticket before (probably missing the obvious). |