Bug 1856716

Summary: SELinux is preventing check_mailq from execute access on the file /usr/bin/perl
Product: [Fedora] Fedora EPEL Reporter: rgessner <ralph>
Component: nagios-pluginsAssignee: Guido Aulisi <guido.aulisi>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel8CC: b.heden, herrold, lemenkov, mhjacks, pieter.avonts, smooge, stefano.biagiotti, swilkerson
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description rgessner 2020-07-14 09:39:10 UTC 
Description of problem:

The check_mailq nagios plugin can not be used by nrpe with SELinux enabled.



Additional info:

SELinux is preventing check_mailq from execute access on the file /usr/bin/perl.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that check_mailq should be allowed execute access on the perl file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'check_mailq' --raw | audit2allow -M my-checkmailq
# semodule -X 300 -i my-checkmailq.pp


Additional Information:
Source Context                system_u:system_r:nagios_mail_plugin_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/bin/perl [ file ]
Source                        check_mailq
Source Path                   check_mailq
Port                          <Unknown>
Host                          hypxxxxxxxxxxxxx
Source RPM Packages           
Target RPM Packages           perl-interpreter-5.26.3-416.el8.x86_64
Policy RPM                    selinux-policy-3.14.3-41.el8_2.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hyperion.x4r.net
Platform                      Linux hypxxxxxxxxxxx 4.18.0-193.6.3.el8_2.x86_64
                              #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64
Alert Count                   2
First Seen                    2020-07-14 11:20:27 CEST
Last Seen                     2020-07-14 11:30:27 CEST
Local ID                      dfc86828-4668-4f56-95cb-bfd11045e879

Raw Audit Messages
type=AVC msg=audit(1594719027.924:107423): avc:  denied  { execute } for  pid=189695 comm="check_mailq" path="/usr/bin/perl" dev="dm-1" ino=201702604 scontext=system_u:system_r:nagios_mail_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0


Hash: check_mailq,nagios_mail_plugin_t,bin_t,file,execute
Comment 1 Stefano Biagiotti 2020-12-10 11:16:29 UTC 
Similar issue here with nagios-plugins-file_age-2.3.3-4.el8.x86_64

type=AVC msg=audit(1607595433.491:1068109): avc:  denied  { map } for  pid=3861499 comm="check_file_age" path="/usr/bin/perl" dev="dm-0" ino=50334503 scontext=system_u:system_r:nagios_admin_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
Comment 2 Fedora Admin user for bugzilla script actions 2021-02-20 00:05:37 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.