Bug 1359858

I went through the process of how I came up with the nrpe type enforcement file again.  Hopefully it provides some insight.

I installed a machine with CentOS 7.2, enabled SELinux, set 'nagios_run_sudo' to true, and then executed the nagios check command manually from the nagios host.

Nagios server checkcommand: /usr/lib/nagios/plugins/check_nrpe2 -H mira035.front.sepia.ceph.com -c check_smart -t 120

nrpe daemon command: command[check_smart]=/usr/libexec/smart.sh

After each round of AVC denials, I'd create a new type enforcement file, install it, then re-run the nagios check command.  See 'creating_policy.txt' attachment for audit.log output and incremental type enforcement file creation.

I'm also attaching 'denials.txt' which just shows all nrpe denials from the time the system was booted until SELinux finally let nrpe do its thing.

[root@mira035 ~]# rpm -qa | grep selinux
selinux-policy-3.13.1-60.el7_2.7.noarch
selinux-policy-targeted-3.13.1-60.el7_2.7.noarch
libselinux-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64

[root@mira035 ~]# rpm -qa | grep nrpe
nrpe-2.15-7.el7.x86_64

[root@mira035 ~]# rpm -qa | grep nagios-common
nagios-common-4.0.8-2.el7.x86_64

Created attachment 1183954 [details]
Shows all nrpe selinux denials from boot until nrpe was finally able to run

Created attachment 1183955 [details]
Shows incremental process of how I created the final nrpe type enforcement file

Here's the smart.sh script the nrpe user runs: https://github.com/ceph/ceph-cm-ansible/blob/master/roles/common/files/libexec/smart.sh

This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of  the affected component. As a starting point you can use policy provided by selinux-policy package. For more details  about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline.

I am taking this and will be working on getting the selinux subpolicy packages put into place for the nagios and nrpe packages.

I went through this process after some concerns were raised about some of the permissions my original type enforcement file was allowing.

I've attached output of the process I followed to get NRPE to report back the information I need.

The type enforcement file is here: https://paste.fedoraproject.org/paste/pL9s67c6ub5Z8npoGT6hx15M1UNdIGYhyRLivL9gydE=

This is on CentOS 7.3.

[root@mira040 ~]# rpm -qa | grep selinux-policy-targeted
selinux-policy-targeted-3.13.1-102.el7_3.15.noarch

[root@mira040 ~]# rpm -qa | grep nrpe
nrpe-2.15-7.el7.x86_64

Created attachment 1265901 [details]
process of building newest nrpe selinux policy type enforcement file

nrpe-3.1.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-69a58c7a69

nrpe-3.1.1-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eb24165ee1

nrpe-3.1.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-be117b53a8

nrpe-3.1.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-92879f40b9

nrpe-3.1.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f37341bbab

nrpe-3.1.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-92879f40b9

nrpe-3.1.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f37341bbab

nrpe-3.1.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-be117b53a8

nrpe-3.1.1-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-eb24165ee1

nrpe-3.1.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-69a58c7a69

nrpe-3.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

nrpe-3.1.1-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

nrpe-3.1.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

nrpe-3.1.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

nrpe-3.1.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

I'm seeing huge amounts of this:

Jul 28 11:10:02 konan setroubleshoot: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown. For complete SELinux messages. run sealert -l 9524f588-6b63-4326-bae5-3eb498ee4140
Jul 28 11:10:02 konan python: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that check_nrpe should be allowed create access on the Unknown unix_dgram_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'check_nrpe' --raw | audit2allow -M my-checknrpe#012# semodule -i my-checknrpe.pp#012

The messages started appearing after update to nrpe-3.1.1-1.el7 


I tried installing the nrpe-selinux package, but that doesn't help. The module in it won't load. The post-install script in the package dumps the errors from attempt to load the module /dev/null thus hiding that it failed, which seems unhelpful.


[root@konan:production: ~]# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

[root@konan:production: ~]# rpm -qa | grep -i nrpe
nrpe-3.1.1-1.el7.x86_64
nagios-plugins-nrpe-3.1.1-1.el7.x86_64
nrpe-selinux-3.1.1-1.el7.x86_64
[root@konan:production: ~]# rpm -q --scripts nrpe-selinux | head -5
postinstall scriptlet (using /bin/sh):
if [ "$1" -le "1" ]; then # Fist install
   semodule -i /usr/share/selinux/packages/nrpe.pp 2>/dev/null || :
   fixfiles -R nrpe restore || :
   
[root@konan:production: ~]# semodule -l | grep nrpe
[root@konan:production: ~]# semodule -i /usr/share/selinux/packages/nrpe/nrpe.pp 
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/bin/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/nagios/nrpe\.cfg.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/rc\.d/init\.d/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/lib/nagios/plugins/check_nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
semodule:  Failed!
[root@konan:production: ~]#

I have opened 1476298 to track this