Bug 1653309
Summary: | Nagios nrpe checks using sudo stopped working after update to RHEL 7.6 | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Zdenek Pytela <zpytela> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | high | Docs Contact: | ||
Priority: | urgent | |||
Version: | 7.6 | CC: | alan, andreas.dijkman, andy.speagle, auebergang, ekeck, fkrska, gerwinkrist, gswami, lastmikoi+rh, lvrabec, mmalik, peter.vreman, plautrba, redhat, riehecky, rik.theys, ssekidde, takirby, vladimir-csp, vmojzis, ysoni, zpytela | |
Target Milestone: | rc | Keywords: | Patch, Regression, Reproducer, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-246.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1692893 (view as bug list) | Environment: | ||
Last Closed: | 2019-08-06 12:52:54 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1692893 |
Description
Zdenek Pytela
2018-11-26 14:09:06 UTC
Seems to be a duplicate of Bug 1651248. Workaround is included there. *** Bug 1651248 has been marked as a duplicate of this bug. *** Following SELinux denial appeared multiple times in the TC results attached by AutoMilos: ---- type=PROCTITLE msg=audit(04/30/2019 05:48:47.069:437) : proctitle=/usr/sbin/nagios -d /etc/nagios/nagios.cfg type=PATH msg=audit(04/30/2019 05:48:47.069:437) : item=0 name=(null) inode=396285 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nagios_log_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=SYSCALL msg=audit(04/30/2019 05:48:47.069:437) : arch=x86_64 syscall=fchown success=no exit=EPERM(Operation not permitted) a0=0x5 a1=0x3e5 a2=0x3e2 a3=0x24 items=1 ppid=1 pid=3753 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nagios exe=/usr/sbin/nagios subj=system_u:system_r:nagios_t:s0 key=(null) type=AVC msg=audit(04/30/2019 05:48:47.069:437) : avc: denied { chown } for pid=3753 comm=nagios capability=chown scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:system_r:nagios_t:s0 tclass=capability permissive=0 ---- The same SELinux denial appeared during manual testing. # find /var/ -inum 396285 /var/log/nagios/nagios.log # ls -il /var/log/nagios/nagios.log 396285 -rw-r--r--. 1 nagios nagios 5851 Apr 30 05:51 /var/log/nagios/nagios.log # ls -Z /var/log/nagios/nagios.log -rw-r--r--. nagios nagios system_u:object_r:nagios_log_t:s0 /var/log/nagios/nagios.log # # rpm -qa selinux\* nagios\* | sort nagios-4.4.3-1.el7.x86_64 nagios-common-4.4.3-1.el7.x86_64 nagios-plugins-2.2.1-16.20180725git3429dad.el7.x86_64 nagios-plugins-disk-2.2.1-16.20180725git3429dad.el7.x86_64 nagios-plugins-dummy-2.2.1-16.20180725git3429dad.el7.x86_64 nagios-plugins-icmp-2.2.1-16.20180725git3429dad.el7.x86_64 nagios-plugins-load-2.2.1-16.20180725git3429dad.el7.x86_64 nagios-plugins-nagios-2.2.1-16.20180725git3429dad.el7.x86_64 nagios-plugins-nrpe-3.2.1-8.el7.x86_64 nagios-plugins-ping-2.2.1-16.20180725git3429dad.el7.x86_64 nagios-plugins-procs-2.2.1-16.20180725git3429dad.el7.x86_64 nagios-plugins-ssh-2.2.1-16.20180725git3429dad.el7.x86_64 nagios-plugins-users-2.2.1-16.20180725git3429dad.el7.x86_64 selinux-policy-3.13.1-244.el7.noarch selinux-policy-devel-3.13.1-244.el7.noarch selinux-policy-targeted-3.13.1-244.el7.noarch # Following rules are missing: allow nrpe_t systemd_logind_t : process { getattr }; allow nrpe_t sssd_t : process { signull }; allow nrpe_t system_dbusd_t : dbus { send_msg }; allow nrpe_t system_dbusd_t : unix_stream_socket { connectto }; allow nrpe_t unconfined_service_t : dbus { send_msg }; allow unconfined_service_t nrpe_t : dbus { send_msg }; allow systemd_hostnamed_t sosreport_t : dbus { send_msg }; SELinux denials stored in customer cases imply that these rules should be present in policy (either in allow form or dontaudit form). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2127 |