Bug 1240793

Summary: The latest selinux-policy-targeted-3.7.19-260.el6_6.5 update broke nrpe scripts which calls sudo
Product: Red Hat Enterprise Linux 6 Reporter: Adam Tkac <vonsch>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.6CC: cww, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, sreber, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-282.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 19:58:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1172231    

Description Adam Tkac 2015-07-07 18:43:47 UTC 
Description of problem:
The latest selinux-policy-targeted-3.7.19-260.el6_6.5 update broke nrpe scripts which call sudo. Previously (selinux-policy-targeted-3.7.19-260.el6_6.3), nrpe_t domain could exec sudo. With new selinux-policy-targeted nrpe_t could exec sudo only when nagios_run_sudo boolean is on. Please note that this boolean didn't exist in previous policies.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-260.el6_6.5

How reproducible:
always

Steps to Reproduce:
1. install selinux-policy-targeted-3.7.19-260.el6_6.3
2. check that nrpe_t domain can exec sudo_exec_t domain without additional settings
3. update to selinux-policy-targeted-3.7.19-260.el6_6.5
4. check that you must set nagios_run_sudo boolean before nrpe_t domain can exec sudo_exec_t

Actual results:
you must set nagios_run_sudo boolean to "on" when your nrpe scripts exec sudo. This is change from previous selinux-policy-targeted-3.7.19-260.el6_6.3 where no additional setting was needed.

Expected results:
I'm not sure if setting of new boolean is expected behavior but I would expect such change, if intentional, in next minor RHEL release, not in async update.
Comment 10 errata-xmlrpc 2016-05-10 19:58:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html