Bug 771245
| Summary: | nagios-plugins-disk fails when checking /boot on RHEL6.2 boxes | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Brian J. Atkisson <batkisso> |
| Component: | nagios-plugins | Assignee: | Ohad Levy <ohadlevy> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | el6 | CC: | dougsland, Frank.Buettner, lemenkov, linux, marianne, ondrejj, smooge, ukh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nagios-plugins-2.2.1-1.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-06-29 18:17:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Unfortunately, adding boot_t:dir getattr access will only solve this problem for /boot. The reason for the AVC denial is that check_disk will call stat() on every mount point specified via its internal stat_path() function. For local file systems this isn't really needed if all you want to do is to check for disk size. I tweaked the check_disk.c code to skip stat_path() by default and that appears to work fine, but there apparently are cases when you do want to use stat().
To test the full effects of SELinux on check_disk, use a line with
command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5%
and check_disk will traverse all mount points and get an AVC denials on stat() on quite a few depending on your setup.
we also have bz#768055 open to come at this from selinux-policy side of things in RHEL6. Same type off issue on el7 nagios-plugins-2.1.4-5.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4e77054bfa nagios-plugins-2.1.4-5.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4e77054bfa nagios-plugins-2.1.4-6.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b820953367 nagios-plugins-2.1.4-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-994c77a4cd nagios-plugins-2.1.4-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-994c77a4cd nagios-plugins-2.2.0-3.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5d813cd00d nagios-plugins-2.2.0-4.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b0accaba31 nagios-plugins-2.2.0-4.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b0accaba31 nagios-plugins-2.2.0-6.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4a502a08b4 nagios-plugins-2.2.0-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4a502a08b4 nagios-plugins-2.2.0-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-1623674064 nagios-plugins-2.2.0-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-1623674064 nagios-plugins-2.2.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-306cbf64b0 nagios-plugins-2.2.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Looks like a new selinux policy was pushed with RHEL6.2, which keeps /usr/lib64/nagios/plugins/check_disk from reading disk status on /boot, giving the following error: DISK CRITICAL - /boot is not accessible: Permission denied the disk check I am using is: command[check_boot]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /boot Version-Release number of selected component (if applicable): nagios-plugins-disk-1.4.14-4.el6.x86_64 RHEL 6.2 (latest) How reproducible: All the time. Steps to Reproduce: 1.Update to RHEL 6.2 from RHEL6.1 in selinux enforcing mode. 2. watch the /boot check fail 3. 'setenforce 0' and it starts working again Actual results: DISK CRITICAL - /boot is not accessible: Permission denied Expected results: The /boot check to succeed. Additional info: I generated the following selinux policy which fixes the issue, it can probably be cleaned up a bit: ------------- module nrpe_check_disk 1.0; require { type nrpe_t; type nagios_checkdisk_plugin_t; type boot_t; class process { siginh noatsecure rlimitinh }; class tcp_socket { read write }; class dir getattr; } #============= nagios_checkdisk_plugin_t ============== allow nagios_checkdisk_plugin_t boot_t:dir getattr; allow nagios_checkdisk_plugin_t nrpe_t:tcp_socket { read write }; #============= nrpe_t ============== allow nrpe_t nagios_checkdisk_plugin_t:process { siginh rlimitinh noatsecure }; ------------ I had to enable logging of all denied selinux policies to get: type=1400 audit(1325539329.240:9795): avc: denied { read write } for pid=23107 comm="check_disk" path="socket:[12409604]" dev=sockfs ino=12409604 scontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=unconfined_u:system_r:nrpe_t:s0 tclass=tcp_socket type=1400 audit(1325539329.240:9796): avc: denied { rlimitinh } for pid=23107 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process type=1400 audit(1325539329.240:9797): avc: denied { siginh } for pid=23107 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process type=1400 audit(1325539329.240:9798): avc: denied { noatsecure } for pid=23107 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process type=1400 audit(1325539329.241:9799): avc: denied { getattr } for pid=23107 comm="check_disk" path="/boot" dev=vda1 ino=2 scontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir