Bug 1015702 - SELinux is preventing /usr/lib64/nagios/plugins/check_ping from using the sigkill access on a process
Summary: SELinux is preventing /usr/lib64/nagios/plugins/check_ping from using the sig...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-04 21:19 UTC by Robert Scheck
Modified: 2018-12-05 16:25 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-08 21:25:49 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Robert Scheck 2013-10-04 21:19:27 UTC 
Description of problem:
Raw Audit Messages
type=AVC msg=audit(1380800743.117:542452): avc:  denied  { sigkill } for  pid=5139 comm="check_ping" scontext=unconfined_u:system_r:nagios_services_plugin_t:s0 tcontext=unconfined_u:system_r:nagios_t:s0 tclass=process


type=SYSCALL msg=audit(1380800743.117:542452): arch=x86_64 syscall=kill success=yes exit=0 a0=0 a1=9 a2=1bf6500 a3=a392d393538382d items=0 ppid=5133 pid=5139 auid=0 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=21329 comm=check_ping exe=/usr/lib64/nagios/plugins/check_ping subj=unconfined_u:system_r:nagios_services_plugin_t:s0 key=(null)

Version-Release number of selected component (if applicable):
nagios-plugins-ping-1.4.16-5.el6.x86_64
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch

How reproducible:
Everytime if you force DNS and network timeouts (e.g. by killing the default
route or the DNS server thus it causes a timeout as in drop, not a reject).
Nagios seems to kill its not responding child somewhen - and this fails due
to the SELinux policy.

Actual results:
SELinux is preventing /usr/lib64/nagios/plugins/check_ping from using the 
sigkill access on a process

Expected results:
Personal expection would be that Nagios is allowed to kill its child process.
Comment 1 Robert Scheck 2013-10-04 21:22:16 UTC 
Cross-filed ticket #00955664 on the Red Hat customer portal.
Comment 4 Simon Sekidde 2014-06-08 21:25:49 UTC 
Robert, 

This should be fixed in the latest RHEL6 policy 

   allow nagios_plugin_domain nagios_t : process { sigchld sigkill sigstop signull signal } ;
Comment 5 Robert Scheck 2014-06-23 10:01:12 UTC 
Simon, since which version should this be fixed? Having here the latest RPM
(selinux-policy-targeted-3.7.19-231.el6_5.3.noarch), but nothing is mentioned
in changelog at all if I am not completely mistaken...
Comment 6 Simon Sekidde 2014-06-24 23:28:39 UTC 
(In reply to Robert Scheck from comment #5)
> Simon, since which version should this be fixed? Having here the latest RPM
> (selinux-policy-targeted-3.7.19-231.el6_5.3.noarch), but nothing is mentioned
> in changelog at all if I am not completely mistaken...

selinux-policy-3.7.19-231.el6.noarch

Fixes are in the "policy-RHEL6.5.patch" file from the source RPM

257745 +allow nrpe_t nagios_plugin_domain:process { signal sigkill };
Comment 7 Robert Scheck 2014-06-25 21:08:47 UTC 
Thank you, the line is there indeed.
Note You need to log in before you can comment on or make changes to this bug.