Bug 768055

Summary: SELinux silent denials of Nagios NRPE check of /boot
Product: Red Hat Enterprise Linux 6 Reporter: moshe
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.2CC: ben, dwalsh, ebenes, Frank.Buettner, fweiss, kevin, ksrot, mmalik, n.beernink, piotr.popieluch, sergio.pasra
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:29:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description moshe 2011-12-15 16:26:30 UTC 
Description of problem:
SE Linux silently denies the nagios check_disk plugin to check /boot when executed via the NRPE daemon.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Set up nrpe to execute the following check: command[check_boot]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /boot

2. Activate the NRPE check from other host: /usr/lib64/nagios/plugins/check_nrpe -H TESTHOST.redhat.com -c check_boot

  
Actual results:

DISK CRITICAL - /boot is not accessible: Permission denied

Expected results:

DISK OK - free space: /boot 167 MB (77% inode=99%);| /boot=47MB;203;214;0;226

Additional info:


I had to run 'semodule -DB' to actually get any output about this in audit.log

Once I did, and turned off enforcing, the following is a dump of the relevant entries:


type=AVC msg=audit(1323966375.648:38669): avc:  denied  { getattr } for  pid=27971 comm="sh" path="/root" dev=vda3 ino=372417 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1323966375.648:38669): arch=c000003e syscall=4 success=yes exit=0 a0=cd4430 a1=7fff5c081440 a2=7fff5c081440 a3=3d04d250e0 items=0 ppid=27970 pid=27971 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=20 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1323966375.648:38670): avc:  denied  { read write } for  pid=27971 comm="check_disk" path="socket:[1026787]" dev=sockfs ino=1026787 scontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=unconfined_u:system_r:nrpe_t:s0 tclass=tcp_socket
type=AVC msg=audit(1323966375.648:38670): avc:  denied  { rlimitinh } for  pid=27971 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process
type=AVC msg=audit(1323966375.648:38670): avc:  denied  { siginh } for  pid=27971 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process
type=AVC msg=audit(1323966375.648:38670): avc:  denied  { noatsecure } for  pid=27971 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process
type=SYSCALL msg=audit(1323966375.648:38670): arch=c000003e syscall=59 success=yes exit=0 a0=cd9580 a1=cd95e0 a2=cd7690 a3=40 items=0 ppid=27970 pid=27971 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=20 comm="check_disk" exe="/usr/lib64/nagios/plugins/check_disk" subj=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null)
type=AVC msg=audit(1323966375.650:38671): avc:  denied  { getattr } for  pid=27971 comm="check_disk" path="/boot" dev=vda1 ino=2 scontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir
type=SYSCALL msg=audit(1323966375.650:38671): arch=c000003e syscall=4 success=yes exit=0 a0=7fffcb59c782 a1=10c0090 a2=10c0090 a3=10 items=0 ppid=27970 pid=27971 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=20 comm="check_disk" exe="/usr/lib64/nagios/plugins/check_disk" subj=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null)
Comment 2 Ben Webb 2012-01-01 19:41:56 UTC 
I'm seeing similar behavior with both the Nagios check_disk and check_nagios plugins when confined by selinux-policy-targeted-3.7.19-126.el6_2.4.noarch. These plugins worked fine with RHEL6.1, and haven't changed in EPEL between 6.1 and 6.2.

With the following in nrpe.cfg:

command[check_nagios]=/usr/lib64/nagios/plugins/check_nagios -e 10 -F /var/log/nagios/status.dat -C /usr/sbin/nagios
command[check_alldisks]=/usr/lib64/nagios/plugins/check_disk --stat-remote-fs -e -x gvfs-fuse-daemon -x nfsd -x nodev -x sysfs -x devpts -x tmpfs -x none -x sunrpc

We can try the checks with something like
/usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_nagios
/usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_alldisks

The check_nagios check gives the following avcs:
Jan  1 11:24:17 triangle kernel: type=1400 audit(1325445857.766:443): avc:  denied  { search } for  pid=9051 comm="check_nagios" name="log" dev=cciss!c0d0p3 ino=307 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
Jan  1 11:24:17 triangle kernel: type=1400 audit(1325445857.848:444): avc:  denied  { search } for  pid=9051 comm="check_nagios" name="nagios" dev=cciss!c0d0p3 ino=1136 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=dir
Jan  1 11:24:18 triangle kernel: type=1400 audit(1325445857.930:445): avc:  denied  { read } for  pid=9051 comm="check_nagios" name="status.dat" dev=cciss!c0d0p3 ino=104 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file

While check_disk gives the following:
Jan  1 11:20:38 triangle kernel: type=1400 audit(1325445638.539:6): avc:  denied  { getattr } for  pid=7525 comm="check_disk" name="/" dev=cciss!c0d0p1 ino=2 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Jan  1 11:20:38 triangle kernel: type=1400 audit(1325445638.618:7): avc:  denied  { getattr } for  pid=7525 comm="check_disk" name="/" dev=proc ino=1 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem

The checks both succeed if SELinux is put into permissive mode.

I have worked around these problems for the time being with
chcon -t nagios_unconfined_plugin_exec_t check_nagios check_disk

but it would be preferable if SELinux policy were fixed so these plugins continued to work as in 6.1.
Comment 3 Miroslav Grepl 2012-01-02 08:05:22 UTC 
I added fixes to Fedora and will backport.
Comment 7 piotr.popieluch 2012-03-26 08:39:14 UTC 
Is there a workaround available? When is the fix expected to be included?
Comment 8 Miroslav Grepl 2012-03-26 08:50:21 UTC 
Yes, you can download the latest policy from

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Comment 10 errata-xmlrpc 2012-06-20 12:29:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html