Bug 967774

Summary: nrpe_t wants to read the var_t:dir
Product: Red Hat OpenStack Reporter: Attila Fazekas <afazekas>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED CURRENTRELEASE QA Contact: Ami Jeain <ajeain>
Severity: medium Docs Contact:
Priority: high    
Version: 3.0CC: afazekas, lhh, mgrepl, yeylon
Target Milestone: rc   
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-03 21:53:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Attila Fazekas 2013-05-28 10:02:20 UTC 
audit2allow </var/log/audit/audit.log


#============= nrpe_t ==============
allow nrpe_t var_t:dir read;
Comment 2 Miroslav Grepl 2013-05-28 11:29:53 UTC 
Could you also attach AVC msgs?
Comment 3 Attila Fazekas 2013-08-12 14:06:32 UTC 
The current massages from the /var/log/audit/audit.log:

type=AVC msg=audit(1376314068.155:52960): avc:  denied  { read } for  pid=7368 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1376314068.155:52960): arch=c000003e syscall=2 success=no exit=-13 a0=7fff09b9df63 a1=100 a2=0 a3=90 items=0 ppid=7367 pid=7368 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1376314668.183:55575): avc:  denied  { read } for  pid=9324 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1376314668.183:55575): arch=c000003e syscall=2 success=no exit=-13 a0=7fff6820ff63 a1=100 a2=0 a3=90 items=0 ppid=9323 pid=9324 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1376315268.610:57882): avc:  denied  { read } for  pid=11096 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1376315268.610:57882): arch=c000003e syscall=2 success=no exit=-13 a0=7fff90a21f63 a1=100 a2=0 a3=90 items=0 ppid=11095 pid=11096 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1376315868.237:60189): avc:  denied  { read } for  pid=12893 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1376315868.237:60189): arch=c000003e syscall=2 success=no exit=-13 a0=7fff49b55f63 a1=100 a2=0 a3=90 items=0 ppid=12892 pid=12893 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)


It is a Default packstack installation + nagios is an enabled service.
Comment 4 Miroslav Grepl 2013-08-19 13:00:24 UTC 
We allow it in Fedora.

#============= nrpe_t ==============

#!!!! This avc is allowed in the current policy
allow nrpe_t var_t:dir read;
Comment 5 Miroslav Grepl 2013-08-19 13:04:04 UTC 
And also has been added to RHEL6.5.
Comment 6 Lon Hohberger 2013-12-03 21:53:21 UTC 
This was a RHEL 6.5 bug and is resolved in the 6.5 selinux-policy erratum:

http://rhn.redhat.com/errata/RHBA-2013-1598.html