Bug 1277718
Summary: | SELinux is preventing nrpe plugins from executing | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | James <james.cuzella> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | CC: | james.cuzella, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-152.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 15:10:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1377248 |
Description
James
2015-11-03 22:10:45 UTC
selinux-policy package ships with file_contexts for the /usr/lib/nagios/plugins/* location: $ sudo grep -rin '/usr/lib/nagios/plugins/' /etc/selinux Binary file /etc/selinux/targeted/contexts/files/file_contexts.bin matches /etc/selinux/targeted/contexts/files/file_contexts:2413:/usr/lib/nagios/plugins/.* -- system_u:object_r:nagios_unconfined_plugin_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:2678:/usr/lib/nagios/plugins/utils.sh -- system_u:object_r:bin_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:2679:/usr/lib/nagios/plugins/utils.pm -- system_u:object_r:bin_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:2820:/usr/lib/nagios/plugins/check_ntp.* -- system_u:object_r:nagios_services_plugin_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:2846:/usr/lib/nagios/plugins/check_snmp.* -- system_u:object_r:nagios_services_plugin_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:2891:/usr/lib/nagios/plugins/eventhandlers(/.*) system_u:object_r:nagios_eventhandler_plugin_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:5388:/usr/lib/nagios/plugins/negate -- system_u:object_r:bin_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:5389:/usr/lib/nagios/plugins/urlize -- system_u:object_r:bin_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:5503:/usr/lib/nagios/plugins/check_nt -- system_u:object_r:nagios_services_plugin_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:5543:/usr/lib/nagios/plugins/check_log -- system_u:object_r:nagios_system_plugin_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:5544:/usr/lib/nagios/plugins/check_dig -- system_u:object_r:nagios_services_plugin_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:5545:/usr/lib/nagios/plugins/check_dns -- system_u:object_r:nagios_services_plugin_exec_t:s0 The NRPE plugins x86_64 packages ship check plugin executables in: /usr/lib64/nagios/plugins ( $ ls -ld /usr/lib64/nagios/plugins drwxrwxr-x. 2 root root 4096 Nov 2 22:56 /usr/lib64/nagios/plugins $ ls -ld /usr/lib/nagios/plugins ls: cannot access /usr/lib/nagios/plugins: No such file or directory $ rpm -ql nagios-plugins-nrpe | grep check /usr/lib64/nagios/plugins/check_nrpe $ rpm -ql nagios-plugins-disk /usr/lib64/nagios/plugins/check_disk $ rpm -ql nagios-plugins-mailq /usr/lib64/nagios/plugins/check_mailq $ rpm -ql nagios-plugins-ssh /usr/lib64/nagios/plugins/check_ssh # All the rest of the plugins only exist in /usr/lib64: $ rpm -qR nagios-plugins-nrpe | xargs rpm -ql | grep '\/usr\/lib' /usr/lib64/nagios/plugins/negate /usr/lib64/nagios/plugins/urlize /usr/lib64/nagios/plugins/utils.sh $ rpm -qR nagios-plugins-all | xargs rpm -ql | grep -c '\/usr\/lib\/' 0 $ rpm -qR nagios-plugins-all | xargs rpm -ql | grep -c '\/usr\/lib64\/' 62 Just realized that the selinux-policy-targeted package owns the file: "/etc/selinux/targeted/modules/active/file_contexts" Package version of selinux-policy-targeted: $ rpm -qf /etc/selinux/targeted/modules/active/file_contexts selinux-policy-targeted-3.13.1-23.el7_1.18.noarch $ repoquery --qf "%-20{repoid} %{name}-%{version}-%{release}.%{arch}" selinux-policy-targeted updates selinux-policy-targeted-3.13.1-23.el7_1.18.noarch It's too late for RHEL-7.2. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |