Bug 1359858
Summary: | NRPE causes SELinux denials | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Ken Dreyer (Red Hat) <kdreyer> |
Component: | nrpe | Assignee: | Stephen John Smoogen <smooge> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | epel7 | CC: | athmanem, b.heden, dgallowa, herrold, jose.p.oliveira.oss, kmf, lvrabec, mgrepl, mhayden, mike.willis, mmalik, ondrejj, plautrba, pvrabec, smooge, smooge, ssekidde, s, swilkerson |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | nrpe-3.1.1-1.fc24 nrpe-3.1.1-1.fc25 nrpe-3.1.1-1.el6 nrpe-3.1.1-1.el7 nrpe-3.1.1-1.fc26 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-07-04 00:19:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1393066 | ||
Attachments: |
Description
Ken Dreyer (Red Hat)
2016-07-25 14:45:25 UTC
I went through the process of how I came up with the nrpe type enforcement file again. Hopefully it provides some insight. I installed a machine with CentOS 7.2, enabled SELinux, set 'nagios_run_sudo' to true, and then executed the nagios check command manually from the nagios host. Nagios server checkcommand: /usr/lib/nagios/plugins/check_nrpe2 -H mira035.front.sepia.ceph.com -c check_smart -t 120 nrpe daemon command: command[check_smart]=/usr/libexec/smart.sh After each round of AVC denials, I'd create a new type enforcement file, install it, then re-run the nagios check command. See 'creating_policy.txt' attachment for audit.log output and incremental type enforcement file creation. I'm also attaching 'denials.txt' which just shows all nrpe denials from the time the system was booted until SELinux finally let nrpe do its thing. [root@mira035 ~]# rpm -qa | grep selinux selinux-policy-3.13.1-60.el7_2.7.noarch selinux-policy-targeted-3.13.1-60.el7_2.7.noarch libselinux-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 libselinux-python-2.2.2-6.el7.x86_64 [root@mira035 ~]# rpm -qa | grep nrpe nrpe-2.15-7.el7.x86_64 [root@mira035 ~]# rpm -qa | grep nagios-common nagios-common-4.0.8-2.el7.x86_64 Created attachment 1183954 [details]
Shows all nrpe selinux denials from boot until nrpe was finally able to run
Created attachment 1183955 [details]
Shows incremental process of how I created the final nrpe type enforcement file
Here's the smart.sh script the nrpe user runs: https://github.com/ceph/ceph-cm-ansible/blob/master/roles/common/files/libexec/smart.sh This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of the affected component. As a starting point you can use policy provided by selinux-policy package. For more details about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline. I am taking this and will be working on getting the selinux subpolicy packages put into place for the nagios and nrpe packages. I went through this process after some concerns were raised about some of the permissions my original type enforcement file was allowing. I've attached output of the process I followed to get NRPE to report back the information I need. The type enforcement file is here: https://paste.fedoraproject.org/paste/pL9s67c6ub5Z8npoGT6hx15M1UNdIGYhyRLivL9gydE= This is on CentOS 7.3. [root@mira040 ~]# rpm -qa | grep selinux-policy-targeted selinux-policy-targeted-3.13.1-102.el7_3.15.noarch [root@mira040 ~]# rpm -qa | grep nrpe nrpe-2.15-7.el7.x86_64 Created attachment 1265901 [details]
process of building newest nrpe selinux policy type enforcement file
nrpe-3.1.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-69a58c7a69 nrpe-3.1.1-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eb24165ee1 nrpe-3.1.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-be117b53a8 nrpe-3.1.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-92879f40b9 nrpe-3.1.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f37341bbab nrpe-3.1.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-92879f40b9 nrpe-3.1.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f37341bbab nrpe-3.1.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-be117b53a8 nrpe-3.1.1-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-eb24165ee1 nrpe-3.1.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-69a58c7a69 nrpe-3.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. nrpe-3.1.1-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. nrpe-3.1.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. nrpe-3.1.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. nrpe-3.1.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. I'm seeing huge amounts of this: Jul 28 11:10:02 konan setroubleshoot: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown. For complete SELinux messages. run sealert -l 9524f588-6b63-4326-bae5-3eb498ee4140 Jul 28 11:10:02 konan python: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that check_nrpe should be allowed create access on the Unknown unix_dgram_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'check_nrpe' --raw | audit2allow -M my-checknrpe#012# semodule -i my-checknrpe.pp#012 The messages started appearing after update to nrpe-3.1.1-1.el7 I tried installing the nrpe-selinux package, but that doesn't help. The module in it won't load. The post-install script in the package dumps the errors from attempt to load the module /dev/null thus hiding that it failed, which seems unhelpful. [root@konan:production: ~]# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" [root@konan:production: ~]# rpm -qa | grep -i nrpe nrpe-3.1.1-1.el7.x86_64 nagios-plugins-nrpe-3.1.1-1.el7.x86_64 nrpe-selinux-3.1.1-1.el7.x86_64 [root@konan:production: ~]# rpm -q --scripts nrpe-selinux | head -5 postinstall scriptlet (using /bin/sh): if [ "$1" -le "1" ]; then # Fist install semodule -i /usr/share/selinux/packages/nrpe.pp 2>/dev/null || : fixfiles -R nrpe restore || : [root@konan:production: ~]# semodule -l | grep nrpe [root@konan:production: ~]# semodule -i /usr/share/selinux/packages/nrpe/nrpe.pp /etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/bin/nrpe. /etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/nrpe. /etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/nagios/nrpe\.cfg. /etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/rc\.d/init\.d/nrpe. /etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/lib/nagios/plugins/check_nrpe. /etc/selinux/final/targeted/contexts/files/file_contexts: Invalid argument libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1. semodule: Failed! [root@konan:production: ~]# I have opened 1476298 to track this |