Bug 1367890

Summary: Nagios check_ping SELinux context issue
Product: [Fedora] Fedora EPEL Reporter: John Oliver <jnojr>
Component: nagios-pluginsAssignee: Stephen John Smoogen <smooge>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: el6CC: jnojr, kmf, mhayden, ondrejj, ralloway, swilkerson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-23 15:15:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John Oliver 2016-08-17 17:41:16 UTC
This is on a system that isn't connected to the Internet, so i have to type all this junk, so any weirdness is probably me and not a bizarre system issue!

SELinux is preventing /usr/lib64/nagios/plugins/check_procs from getattr access on the file /usr/lib64/nagios/plugins/check_ping

Additional Information:
Source Context          unconfined_u:system_r:nagios_system_plugin_t:s0
Target Context          system_u:object_r:nagios_services_plugin_exec_t:s0
Target Objects          /usr/lib64/nagios/plugins/check_ping [file]
Source                  check_procs
Source Path             /usr/lib64/nagios/plugins/check_procs
Port                    <Unknown>
Source RPM Packages     nagios-plugins-procs-2.0.3-3.el6.x86_64
Target RPM Packages     nagios-plugins-ping-2.0.3-3.el6.x86_64
Policy RPM              selinux-policy-3.7.19-279.el6_7.9.noarch
Selinux Enabled         True
Policy Type             targeted
Enforcing Mode          Enforcing
Platform                Linux 2.6.32-504.30.3.el6.x86_64

Raw Audit Messages
type=AVC msg=audit(...): avc: denied { getattr } for pid=11594 comm="check_procs" path="/usr/lib64/nagios/plugins/check_ping" dev=dm-0 ino=1056486 scontext=unconfined_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:nagios_services_plugin_exec_t:s0 tclass=file

Comment 1 Richard D Alloway 2016-09-15 20:04:52 UTC
Hi John!

Do you have any additional details on how to replicate the bug?

I have EL6.6 installed along with the kernel and package versions that you included in the bug report:

kernel-2.6.32-504.30.3.el6.x86_64
nagios-plugins-ping-2.0.3-3.el6.x86_64
nagios-plugins-procs-2.0.3-3.el6.x86_64
selinux-policy-3.7.19-279.el6_7.9.noarch

SELinux is also configured for ‘enforcing’.

But, I am unable to duplicate the selinux issue.

Any additional info that you could provide on how to replicate this bug would be much appreciated.

Thanks!

-Rich Alloway (RogueWave)