Bug 1277718
| Summary: | SELinux is preventing nrpe plugins from executing | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | James <james.cuzella> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.1 | CC: | james.cuzella, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-152.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 15:10:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1377248 | ||
selinux-policy package ships with file_contexts for the /usr/lib/nagios/plugins/* location:
$ sudo grep -rin '/usr/lib/nagios/plugins/' /etc/selinux
Binary file /etc/selinux/targeted/contexts/files/file_contexts.bin matches
/etc/selinux/targeted/contexts/files/file_contexts:2413:/usr/lib/nagios/plugins/.* -- system_u:object_r:nagios_unconfined_plugin_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:2678:/usr/lib/nagios/plugins/utils.sh -- system_u:object_r:bin_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:2679:/usr/lib/nagios/plugins/utils.pm -- system_u:object_r:bin_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:2820:/usr/lib/nagios/plugins/check_ntp.* -- system_u:object_r:nagios_services_plugin_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:2846:/usr/lib/nagios/plugins/check_snmp.* -- system_u:object_r:nagios_services_plugin_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:2891:/usr/lib/nagios/plugins/eventhandlers(/.*) system_u:object_r:nagios_eventhandler_plugin_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:5388:/usr/lib/nagios/plugins/negate -- system_u:object_r:bin_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:5389:/usr/lib/nagios/plugins/urlize -- system_u:object_r:bin_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:5503:/usr/lib/nagios/plugins/check_nt -- system_u:object_r:nagios_services_plugin_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:5543:/usr/lib/nagios/plugins/check_log -- system_u:object_r:nagios_system_plugin_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:5544:/usr/lib/nagios/plugins/check_dig -- system_u:object_r:nagios_services_plugin_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:5545:/usr/lib/nagios/plugins/check_dns -- system_u:object_r:nagios_services_plugin_exec_t:s0
The NRPE plugins x86_64 packages ship check plugin executables in: /usr/lib64/nagios/plugins
(
$ ls -ld /usr/lib64/nagios/plugins
drwxrwxr-x. 2 root root 4096 Nov 2 22:56 /usr/lib64/nagios/plugins
$ ls -ld /usr/lib/nagios/plugins
ls: cannot access /usr/lib/nagios/plugins: No such file or directory
$ rpm -ql nagios-plugins-nrpe | grep check
/usr/lib64/nagios/plugins/check_nrpe
$ rpm -ql nagios-plugins-disk
/usr/lib64/nagios/plugins/check_disk
$ rpm -ql nagios-plugins-mailq
/usr/lib64/nagios/plugins/check_mailq
$ rpm -ql nagios-plugins-ssh
/usr/lib64/nagios/plugins/check_ssh
# All the rest of the plugins only exist in /usr/lib64:
$ rpm -qR nagios-plugins-nrpe | xargs rpm -ql | grep '\/usr\/lib'
/usr/lib64/nagios/plugins/negate
/usr/lib64/nagios/plugins/urlize
/usr/lib64/nagios/plugins/utils.sh
$ rpm -qR nagios-plugins-all | xargs rpm -ql | grep -c '\/usr\/lib\/'
0
$ rpm -qR nagios-plugins-all | xargs rpm -ql | grep -c '\/usr\/lib64\/'
62
Just realized that the selinux-policy-targeted package owns the file: "/etc/selinux/targeted/modules/active/file_contexts"
Package version of selinux-policy-targeted:
$ rpm -qf /etc/selinux/targeted/modules/active/file_contexts
selinux-policy-targeted-3.13.1-23.el7_1.18.noarch
$ repoquery --qf "%-20{repoid} %{name}-%{version}-%{release}.%{arch}" selinux-policy-targeted
updates selinux-policy-targeted-3.13.1-23.el7_1.18.noarch
It's too late for RHEL-7.2. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |
Description of problem: NRPE checks may fail on RHEL/CentOS 7 with selinux-policy <= selinux-policy-3.13.1-23.el7_1.18.noarch The nagios-plugins-all & nagios-plugins-nrpe packages in EPEL 7 ship with binaries in a new location: /usr/lib64/nagios/plugins (as opposed to: /usr/lib/nagios/plugins/) The selinux-policy package ships with file_contexts for the /usr/lib/nagios/plugins/* location: Version-Release number of selected component (if applicable): selinux-policy-3.13.1-23.el7_1.18.noarch nagios-common-3.5.1-1.el7.x86_64 nagios-plugins-all-2.0.3-3.el7.x86_64 nagios-plugins-nrpe-2.15-7.el7.x86_64 How reproducible: Always (on x86_64) Steps to Reproduce: 1. Run check_nrpe from monitor server to run a remote check via NRPE 2. Remote host running NRPE logs audit.log errors 3. Check fails with "Permission denied" error Actual results: check_nrpe returns Permission denied error: COMMAND: /usr/local/nagios/libexec/check_nrpe -H 10.248.2.222 -u -t 240 -c check_all_disks OUTPUT: DISK CRITICAL - /sys/kernel/config is not accessible: Permission denied Remote server running NRPE logs errors in /var/log/audit/audit.log: type=SERVICE_START msg=audit(1446581322.775:14186): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="nrpe.2.222:5666-10.2.0.93:42124" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1446581322.886:14187): avc: denied { getattr } for pid=6469 comm="check_disk" path="/sys/kernel/config" dev="configfs" ino=8575 scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir type=SYSCALL msg=audit(1446581322.886:14187): arch=c000003e syscall=4 success=no exit=-13 a0=7fe20dd250a0 a1=7fe20dd22090 a2=7fe20dd22090 a3=0 items=0 ppid=6468 pid=6469 auid=4294967295 uid=10105 gid=10105 euid=10105 suid=10105 fsuid=10105 egid=10105 sgid=10105 fsgid=10105 tty=(none) ses=4294967295 comm="check_disk" exe="/usr/lib64/nagios/plugins/check_disk" subj=system_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null) type=SERVICE_STOP msg=audit(1446581322.938:14188): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="nrpe.2.222:5666-10.2.0.93:42124" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Expected results: NRPE check should work and have the access it needs to perform the check. selinux-policy package should ship with correct file contexts for the alternate paths for NRPE plugins packaged in the EPEL package. The path for x86_64 nagios NRPE plugin checks: /usr/lib64/nagios/plugins, should be recognized by the selinux-policy and granted appropriate permissions. Additional info: System: $ cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) $ uname -r 3.10.0-229.14.1.el7.x86_64 Package Versions: $ repoquery --qf "%-20{repoid} %{name}-%{version}-%{release}.%{arch}" selinux-policy updates selinux-policy-3.13.1-23.el7_1.18.noarch $ repoquery --qf "%-20{repoid} %{name}-%{version}-%{release}.%{arch}" nagios-plugins-all nagios-plugins-nrpe nagios-common nrpe epel nagios-common-3.5.1-1.el7.x86_64 epel nagios-plugins-all-2.0.3-3.el7.x86_64 epel nagios-plugins-nrpe-2.15-7.el7.x86_64 epel nrpe-2.15-7.el7.x86_64