Bug 1653309

Summary: Nagios nrpe checks using sudo stopped working after update to RHEL 7.6
Product: Red Hat Enterprise Linux 7 Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.6CC: alan, andreas.dijkman, andy.speagle, auebergang, ekeck, fkrska, gerwinkrist, gswami, lastmikoi+rh, lvrabec, mmalik, peter.vreman, plautrba, redhat, riehecky, rik.theys, ssekidde, takirby, vladimir-csp, vmojzis, ysoni, zpytela
Target Milestone: rcKeywords: Patch, Regression, Reproducer, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-246.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1692893 (view as bug list) Environment:
Last Closed: 2019-08-06 12:52:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1692893    

Description Zdenek Pytela 2018-11-26 14:09:06 UTC 
Description of problem:
After update from RHEL 7.5 to 7.6, nagios and nrpe plugins using sudo stopped working. The nagios_run_sudo boolean is on.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-229.el7_6.5.noarch
sudo-1.8.23-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Configure nagios/nrpe with a plugin requiring sudo, like check_rsyslog
2. 
3.

Actual results:
plugin does not work, reporting AVC denials

Expected results:
plugin works and reports no AVC denials

Additional info:
Nagios and nrpe are from EPEL.
However, the current state seems to be a result of sudo rebase in RHEL 7.6:

sudo skips PAM account module in case NOPASSWD is used in sudoers
https://bugzilla.redhat.com/show_bug.cgi?id=1533964
Comment 7 vladimir-csp 2018-12-07 07:10:34 UTC 
Seems to be a duplicate of Bug 1651248. Workaround is included there.
Comment 8 Lukas Vrabec 2018-12-16 21:09:49 UTC 
*** Bug 1651248 has been marked as a duplicate of this bug. ***
Comment 30 Milos Malik 2019-04-30 10:05:34 UTC 
Following SELinux denial appeared multiple times in the TC results attached by AutoMilos:
----
type=PROCTITLE msg=audit(04/30/2019 05:48:47.069:437) : proctitle=/usr/sbin/nagios -d /etc/nagios/nagios.cfg 
type=PATH msg=audit(04/30/2019 05:48:47.069:437) : item=0 name=(null) inode=396285 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nagios_log_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=SYSCALL msg=audit(04/30/2019 05:48:47.069:437) : arch=x86_64 syscall=fchown success=no exit=EPERM(Operation not permitted) a0=0x5 a1=0x3e5 a2=0x3e2 a3=0x24 items=1 ppid=1 pid=3753 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nagios exe=/usr/sbin/nagios subj=system_u:system_r:nagios_t:s0 key=(null) 
type=AVC msg=audit(04/30/2019 05:48:47.069:437) : avc:  denied  { chown } for  pid=3753 comm=nagios capability=chown  scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:system_r:nagios_t:s0 tclass=capability permissive=0 
----

The same SELinux denial appeared during manual testing.

# find /var/ -inum 396285
/var/log/nagios/nagios.log
# ls -il /var/log/nagios/nagios.log 
396285 -rw-r--r--. 1 nagios nagios 5851 Apr 30 05:51 /var/log/nagios/nagios.log
# ls -Z /var/log/nagios/nagios.log 
-rw-r--r--. nagios nagios system_u:object_r:nagios_log_t:s0 /var/log/nagios/nagios.log
#

# rpm -qa selinux\* nagios\* | sort
nagios-4.4.3-1.el7.x86_64
nagios-common-4.4.3-1.el7.x86_64
nagios-plugins-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-disk-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-dummy-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-icmp-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-load-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-nagios-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-nrpe-3.2.1-8.el7.x86_64
nagios-plugins-ping-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-procs-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-ssh-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-users-2.2.1-16.20180725git3429dad.el7.x86_64
selinux-policy-3.13.1-244.el7.noarch
selinux-policy-devel-3.13.1-244.el7.noarch
selinux-policy-targeted-3.13.1-244.el7.noarch
#
Comment 33 Milos Malik 2019-05-07 12:12:48 UTC 
Following rules are missing:

allow nrpe_t systemd_logind_t : process { getattr };
allow nrpe_t sssd_t : process { signull };
allow nrpe_t system_dbusd_t : dbus { send_msg };
allow nrpe_t system_dbusd_t : unix_stream_socket { connectto };
allow nrpe_t unconfined_service_t : dbus { send_msg };
allow unconfined_service_t nrpe_t : dbus { send_msg };
allow systemd_hostnamed_t sosreport_t : dbus { send_msg };

SELinux denials stored in customer cases imply that these rules should be present in policy (either in allow form or dontaudit form).
Comment 50 errata-xmlrpc 2019-08-06 12:52:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2127