Bug 562424

Summary: SELinux is preventing /usr/sbin/nagios "sigkill" access
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 12   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.6.32-92.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-04 00:17:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2010-02-06 16:46:22 UTC 
Nagios seems to have some problems trying to kill off one of its checks when it either can't reach the other host or the process starts timing out.  When it tries to kill its checking plugin, it gets denied:

This is using selinux-policy-3.6.32-82.fc12

node=chicago.messinet.com type=AVC msg=audit(1265474065.53:42575): avc:  denied  { sigkill } for  pid=30592 comm="nagios" scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:system_r:nagios_services_plugin_t:s0 tclass=process

node=chicago.messinet.com type=SYSCALL msg=audit(1265474065.53:42575): arch=c000003e syscall=62 success=yes exit=132 a0=0 a1=9 a2=1916fa0 a3=7fff4c7a3a30 items=0 ppid=1 pid=30592 auid=4294967295 uid=488 gid=482 euid=488 suid=488 fsuid=488 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="nagios" exe="/usr/sbin/nagios" subj=system_u:system_r:nagios_t:s0 key=(null)
Comment 1 Daniel Walsh 2010-02-08 19:31:17 UTC 
Miroslav add


        allow nagios_t nagios_$1_plugin_t:process signal_perms;
Comment 2 Miroslav Grepl 2010-02-09 11:45:23 UTC 
Fixed in selinux-policy-3.6.32-86.fc12
Comment 3 Anthony Messina 2010-02-18 19:17:43 UTC 
Using selinux-policy-targeted-3.6.32-89.fc12.noarch, I get the following errors (the example here is for the "check_disk" plugin, but the same error occurs regardless of the plugin -- other plugins generate similar errors).

# check_disk
node=chicago.messinet.com type=AVC msg=audit(1266520448.211:11996): avc:  denied  { read write } for  pid=23313 comm="check_disk" path="/var/log/nagios/spool/checkresults/checkRZ5OF9" dev=sdd3 ino=4736020 scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1266520448.211:11996): arch=c000003e syscall=59 success=yes exit=0 a0=1bb1d70 a1=1bb1dd0 a2=1bae1c0 a3=40 items=0 ppid=23312 pid=23313 auid=4294967295 uid=488 gid=482 euid=488 suid=488 fsuid=488 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="check_disk" exe="/usr/lib64/nagios/plugins/check_disk" subj=system_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null)

# check_load
node=chicago.messinet.com type=AVC msg=audit(1266520443.161:11995): avc:  denied  { read write } for  pid=23305 comm="check_load" path="/var/log/nagios/spool/checkresults/checkAKKOKh" dev=sdd3 ino=4736025 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1266520443.161:11995): arch=c000003e syscall=59 success=yes exit=0 a0=d7ad20 a1=d77ab0 a2=d77260 a3=30 items=0 ppid=23304 pid=23305 auid=4294967295 uid=488 gid=482 euid=488 suid=488 fsuid=488 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="check_load" exe="/usr/lib64/nagios/plugins/check_load" subj=system_u:system_r:nagios_system_plugin_t:s0 key=(null)

# check_nrpe
node=chicago.messinet.com type=AVC msg=audit(1266520454.231:11997): avc:  denied  { read write } for  pid=23330 comm="check_nrpe" path="/var/log/nagios/spool/checkresults/checksLqF31" dev=sdd3 ino=4736025 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1266520454.231:11997): arch=c000003e syscall=59 success=yes exit=0 a0=909d70 a1=906ad0 a2=906280 a3=30 items=0 ppid=23329 pid=23330 auid=4294967295 uid=488 gid=482 euid=488 suid=488 fsuid=488 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="check_nrpe" exe="/usr/lib64/nagios/plugins/check_nrpe" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)
Comment 4 Fedora Update System 2010-02-23 20:58:32 UTC 
selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12
Comment 5 Fedora Update System 2010-02-26 03:45:24 UTC 
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953
Comment 6 Fedora Update System 2010-03-04 00:14:04 UTC 
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.