Bug 1015702 - SELinux is preventing /usr/lib64/nagios/plugins/check_ping from using the sigkill access on a process
SELinux is preventing /usr/lib64/nagios/plugins/check_ping from using the sig...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-04 17:19 EDT by Robert Scheck
Modified: 2014-06-25 17:08 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-08 17:25:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2013-10-04 17:19:27 EDT
Description of problem:
Raw Audit Messages
type=AVC msg=audit(1380800743.117:542452): avc:  denied  { sigkill } for  pid=5139 comm="check_ping" scontext=unconfined_u:system_r:nagios_services_plugin_t:s0 tcontext=unconfined_u:system_r:nagios_t:s0 tclass=process


type=SYSCALL msg=audit(1380800743.117:542452): arch=x86_64 syscall=kill success=yes exit=0 a0=0 a1=9 a2=1bf6500 a3=a392d393538382d items=0 ppid=5133 pid=5139 auid=0 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=21329 comm=check_ping exe=/usr/lib64/nagios/plugins/check_ping subj=unconfined_u:system_r:nagios_services_plugin_t:s0 key=(null)

Version-Release number of selected component (if applicable):
nagios-plugins-ping-1.4.16-5.el6.x86_64
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch

How reproducible:
Everytime if you force DNS and network timeouts (e.g. by killing the default
route or the DNS server thus it causes a timeout as in drop, not a reject).
Nagios seems to kill its not responding child somewhen - and this fails due
to the SELinux policy.

Actual results:
SELinux is preventing /usr/lib64/nagios/plugins/check_ping from using the 
sigkill access on a process

Expected results:
Personal expection would be that Nagios is allowed to kill its child process.
Comment 1 Robert Scheck 2013-10-04 17:22:16 EDT
Cross-filed ticket #00955664 on the Red Hat customer portal.
Comment 4 Simon Sekidde 2014-06-08 17:25:49 EDT
Robert, 

This should be fixed in the latest RHEL6 policy 

   allow nagios_plugin_domain nagios_t : process { sigchld sigkill sigstop signull signal } ;
Comment 5 Robert Scheck 2014-06-23 06:01:12 EDT
Simon, since which version should this be fixed? Having here the latest RPM
(selinux-policy-targeted-3.7.19-231.el6_5.3.noarch), but nothing is mentioned
in changelog at all if I am not completely mistaken...
Comment 6 Simon Sekidde 2014-06-24 19:28:39 EDT
(In reply to Robert Scheck from comment #5)
> Simon, since which version should this be fixed? Having here the latest RPM
> (selinux-policy-targeted-3.7.19-231.el6_5.3.noarch), but nothing is mentioned
> in changelog at all if I am not completely mistaken...

selinux-policy-3.7.19-231.el6.noarch

Fixes are in the "policy-RHEL6.5.patch" file from the source RPM

257745 +allow nrpe_t nagios_plugin_domain:process { signal sigkill };
Comment 7 Robert Scheck 2014-06-25 17:08:47 EDT
Thank you, the line is there indeed.

Note You need to log in before you can comment on or make changes to this bug.