Description of problem:
The nagios-selinux package replaces the system nagios SELinux module with one
that appears to prohibit most common Nagios operations. "Unconfined" plugins
such as check_procs do not work at all without disabling SELinux.
I have a small reproducer below that uses NRPE rather than a full Nagios
install. Plugins work normally with the default selinux-policy-targeted, but
fail if nagios-selinux is installed.
Version-Release number of selected component (if applicable):
nagios-selinux-4.4.6-7.el9~bootstrap.noarch
How reproducible:
Always
Steps to Reproduce:
% dnf install nrpe nagios-plugins-procs nagios-plugins-nrpe
% systemctl start nrpe
% /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_total_procs
PROCS OK: 113 processes | procs=113;150;200;0;
% dnf install nagios-selinux
% /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_total_procs
Unable to read output
% grep avc /var/log/audit/audit.log |tail -1
type=AVC msg=audit(1658426463.166:127): avc: denied { execute } for pid=1792 comm="check_procs" name="ps" dev="dm-0" ino=4330077 scontext=system_u:system_r:nagios_unconfined_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
Actual results:
nagios_unconfined_plugin_t plugins such as check_procs are denied by SELinux.
Expected results:
Plugins work without SELinux denials.
Additional info:
I see similar avc denials for virtually every plugin on my full Nagios server,
but these all go away and everything works normally (at least for me) if I
rpm -e --nodeps nagios-selinux
My Nagios install worked before with RHEL 8.6, but I notice the nagios
RPM didn't require nagios-selinux at that time (and I didn't have it installed).
I was looking into what to upgrade centos7 to in the future for Nagios and I ran into this testing on 9 also. The host check doesn't even work (check_ping). I tried fixing all the AVC denials for it using setroubleshoot and the ausearch/semodule -i but pinging still didn't work unless I disable selinux completely.
Description of problem: The nagios-selinux package replaces the system nagios SELinux module with one that appears to prohibit most common Nagios operations. "Unconfined" plugins such as check_procs do not work at all without disabling SELinux. I have a small reproducer below that uses NRPE rather than a full Nagios install. Plugins work normally with the default selinux-policy-targeted, but fail if nagios-selinux is installed. Version-Release number of selected component (if applicable): nagios-selinux-4.4.6-7.el9~bootstrap.noarch How reproducible: Always Steps to Reproduce: % dnf install nrpe nagios-plugins-procs nagios-plugins-nrpe % systemctl start nrpe % /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_total_procs PROCS OK: 113 processes | procs=113;150;200;0; % dnf install nagios-selinux % /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_total_procs Unable to read output % grep avc /var/log/audit/audit.log |tail -1 type=AVC msg=audit(1658426463.166:127): avc: denied { execute } for pid=1792 comm="check_procs" name="ps" dev="dm-0" ino=4330077 scontext=system_u:system_r:nagios_unconfined_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 Actual results: nagios_unconfined_plugin_t plugins such as check_procs are denied by SELinux. Expected results: Plugins work without SELinux denials. Additional info: I see similar avc denials for virtually every plugin on my full Nagios server, but these all go away and everything works normally (at least for me) if I rpm -e --nodeps nagios-selinux My Nagios install worked before with RHEL 8.6, but I notice the nagios RPM didn't require nagios-selinux at that time (and I didn't have it installed).