Bug 2002540
Summary: | SELinux is preventing check_ssl_cert from open access on the file /usr/bin/hostname | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Łukasz Posadowski <mail> |
Component: | nagios | Assignee: | Guido Aulisi <guido.aulisi> |
Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | epel8 | CC: | b.heden, guido.aulisi, jose.p.oliveira.oss, linux, shawn.starr, smooge, s, swilkerson |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | --- | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Łukasz Posadowski
2021-09-09 06:54:51 UTC
Here is one example alert. # sealert -l 31162041-8bf2-440d-a509-1719be8aefc6 SELinux is preventing check_ssl_cert from open access on the file /usr/bin/hostname. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that check_ssl_cert should be allowed open access on the hostname file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'check_ssl_cert' --raw | audit2allow -M my-checksslcert # semodule -X 300 -i my-checksslcert.pp Additional Information: Source Context system_u:system_r:nagios_t:s0 Target Context system_u:object_r:hostname_exec_t:s0 Target Objects /usr/bin/hostname [ file ] Source check_ssl_cert Source Path check_ssl_cert Port <Unknown> Host s1-2-waw1 Source RPM Packages bash-4.4.19-12.el8.x86_64 Target RPM Packages hostname-3.20-6.el8.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch Local Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name s1-2-waw1 Platform Linux s1-2-waw1 4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64 x86_64 Alert Count 117 First Seen 2021-09-09 08:38:33 CEST Last Seen 2021-09-09 08:53:55 CEST Local ID 31162041-8bf2-440d-a509-1719be8aefc6 Raw Audit Messages type=AVC msg=audit(1631170435.812:169853): avc: denied { open } for pid=917756 comm="check_ssl_cert" path="/usr/bin/hostname" dev="sda1" ino=13478578 scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1631170435.812:169853): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=56553aead4b0 a2=0 a3=0 items=0 ppid=917726 pid=917756 auid=4294967295 uid=989 gid=986 euid=989 suid=989 fsuid=989 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm=check_ssl_cert exe=/usr/bin/bash subj=system_u:system_r:nagios_t:s0 key=(null) Hash: check_ssl_cert,nagios_t,hostname_exec_t,file,open |