Bug 1231702
| Summary: | [SELinux] [Nagios] Nagios syslogd_t avc's seen in RHEL-6.7 and RHEL-7.1 | |||
|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Stanislav Graf <sgraf> | |
| Component: | gluster-nagios-addons | Assignee: | Ramesh N <rnachimu> | |
| Status: | CLOSED ERRATA | QA Contact: | Stanislav Graf <sgraf> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | rhgs-3.1 | CC: | jherrman, kmayilsa, knarra, mattdm, mgrepl, pprakash, rcyriac, rnachimu, sabose, sgraf, vagarwal | |
| Target Milestone: | --- | |||
| Target Release: | RHGS 3.1.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.7.19-279.el6 / selinux-policy-3.13.1-31.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
On Gluster nodes monitored by the Nagios application, the syslogd utility was not able to run Nagios plug-ins. This update introduces a new Boolean called logging_syslogd_run_nagios_plugins, which enables syslogd to run such plug-ins properly.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1233547 1233550 (view as bug list) | Environment: | ||
| Last Closed: | 2015-07-29 05:33:32 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1238963 | |||
| Bug Blocks: | 1202842, 1212796, 1233547 | |||
|
Description
Stanislav Graf
2015-06-15 09:21:29 UTC
Is there a rsyslog plugin module which executes nagios plugins? Sahina, could you please answer the question in comment 2? There's an omprog rsyslog plugin, which monitors the log entries and calls the nsca plugin of nagios Stanislav, What's the question in Comment 6? Miroslav, Has there been any fix regarding this AVC in selinux-policy-targeted-3.7.19-278? Stanislav, I've cloned this BZ against RHEL-6.7 [1] and RHEL-7.1 [2] for getting the fixes in RHEL and Milos has already provided a possible local policy module in those BZ's which fixes the reported issue. Could you please check if that helped and confirm back in the corresponding BZ's? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1233547 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1233550 Do we ship Nagios in RHEL6 and/or RHEL7 as part of RHGS? or RHEL6/7 Base? Nagios is shipped for RHEL6 and RHEL7 in RHGS channel, the nagios package is from LPC. So, looks like the selinux policy needs to be added to the nagios pkg that goes into RHGS RHEL6/7 channel. This bug can be verified only after the required bug bz#1233550 is verified. Prasant: Can u check with the RHEL-7 team regarding the availability of the fix in RHEL7.1 z stream?. (In reply to Ramesh N from comment #17) > This bug can be verified only after the required bug bz#1233550 is verified. > Prasant: Can u check with the RHEL-7 team regarding the availability of the > fix in RHEL7.1 z stream?. As per https://bugzilla.redhat.com/show_bug.cgi?id=1233550#c5, I see that the fix given by SELinux team is already confirmed as Fixed and verified. Since the BZ is currently in Modified state, you might soon get an official build having the fix. Once you get that, you can move this downstream BZ to ON_QA with that FIV for QE to verify. Once the above BZ's are tested and Verified, I'll be requesting for a RHEL-7.1.Z clone of the RHEL BZ. Hope that explains. Fixed In Version: selinux-policy-3.7.19-279.el6 → selinux-policy-3.7.19-279.el6 / selinux-policy-3.13.1-23.el7_1.9 selinux-policy-3.13.1-23.el7_1.9 doesn't have required logging_syslogd_run_nagios_plugin boolean. --> ASSIGNED Required Sebool is not yet available in RHEL7.1. Setting the dependency to correct RHEL7.1 bugs. required sebool is available in RHEL7.2 build 'selinux-policy-3.13.1-31.el7'. Moving this bug to ON_QA with 7.2 build. Fixed In Version: selinux-policy-3.7.19-279.el6 / selinux-policy-3.13.1-31.el7 Tested: selinux-policy-targeted-3.7.19-279.el6.noarch logging_syslogd_run_nagios_plugins nagios_run_sudo selinux-policy-targeted-3.13.1-31.el7.noarch logging_syslogd_run_nagios_plugins nagios_run_pnp4nagios nagios_run_sudo Above selinux-policy builds with enable boolean logging_syslogd_run_nagios_plugins fixes AVCs mentioned in Comment 0. --> VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-1494.html Hi Matthew, I have now made that public. Can you please check it out? Thanks kasturi |