Bug 1827444
| Summary: | SELinux denies execute for nagios_mail_plugin_exec_t type to bin_t, breaking Nagios plugins written in Perl | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Noel Duffy <nduffy> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.8 | CC: | lvrabec, mmalik, plautrba, ssekidde, vmojzis |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-24 10:41:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1824625 *** |
Description of problem: After upgrading to RHEL 7.8, the Nagios plugin check_mailq will not run from nrpe because SELinux blocks it. type=AVC msg=audit(1587620658.856:26339): avc: denied { execute } for pid=18269 comm="check_mailq" path="/usr/bin/perl" dev="dm-0" ino=16815427 scontext=system_u:system_r:nagios_mail_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 check_mailq is provided by nagios-plugins-mailq-2.3.1-3.el7.x86_64. The script check_mailq is a Perl script. # rpm -ql nagios-plugins-mailq /usr/lib64/nagios/plugins/check_mailq # file /usr/lib64/nagios/plugins/check_mailq /usr/lib64/nagios/plugins/check_mailq: Perl script, ASCII text executable It has the SELinux label "system_u:object_r:nagios_mail_plugin_exec_t:s0". This means it can transition to nagios_mail_plugin_t, but that type can no longer run binaries like Perl. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-266.el7.noarch selinux-policy-3.13.1-266.el7.noarch How reproducible: Always. Steps to Reproduce: 1. On a rhel7.8 host, install nrpe daemon and nagios-plugins-mailq. 2. Define a service check like this: "command[check_mailq]=/usr/lib64/nagios/plugins/check_mailq -w 5 -c 10". Restart nrpe. 3. On a remote host allowed to connect to nrpe, run: /usr/lib64/nagios/plugins/check_nrpe -H <hostname> -c check_mailq Actual results: check_nrpe produces this output: NRPE: Unable to read output And in the audit logs on the destination host: type=AVC msg=audit(1587683845.782:436753): avc: denied { execute } for pid=36997 comm="check_mailq" path="/usr/bin/perl" dev="dm-0" ino=16815427 scontext=system_u:system_r:nagios_mail_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 Expected results: The check_nrpe command should produce output like this: OK: sendmail mailq is empty|unsent=0;5;10;0 Additional info: audit2allow suggests generating a module like this: # cat mailq.te module mailq 1.0; require { type nagios_mail_plugin_t; type bin_t; class file execute; } #============= nagios_mail_plugin_t ============== #!!!! WARNING: 'bin_t' is a base type. allow nagios_mail_plugin_t bin_t:file execute; Installing this allows check_nrpe to run check_mailq again. But the system administrator must install this on every host.