Bug 1015708 - /usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432
/usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
BaseOS QE Security Team
:
Depends On:
Blocks: 1250667
  Show dependency treegraph
 
Reported: 2013-10-04 17:29 EDT by Robert Scheck
Modified: 2015-08-05 13:53 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-240.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1250667 (view as bug list)
Environment:
Last Closed: 2014-10-14 03:57:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2013-10-04 17:29:55 EDT
Description of problem:
/usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432
due to the SELinux policy.

Version-Release number of selected component (if applicable):
nagios-plugins-pgsql-1.4.16-5.el6.x86_64
selinux-policy-3.7.19-195.el6_4.12.noarch

How reproducible:
Everytime, just set up Nagios with check_pgsql to access PostgreSQL via
socket. Nagios check is simply containing:

  command_line    $USER1$/check_pgsql -l $ARG1$ -d $ARG2$

where '$ARG1$' is 'postgres' and '$ARG2$' is 'template1'. This of course is
requiring PostgreSQL to be configured accordingly.

Actual results:
/usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432

Expected results:
/usr/lib64/nagios/plugins/check_pgsql has access to /tmp/.s.PGSQL.5432

Additional info:
allow nagios_t postgresql_tmp_t:sock_file write;
allow nagios_t postgresql_t:unix_stream_socket connectto;
allow nagios_services_plugin_t postgresql_tmp_t:sock_file write;
allow nagios_services_plugin_t postgresql_t:unix_stream_socket connectto;
Comment 1 Robert Scheck 2013-10-04 17:31:26 EDT
Cross-filed ticket #00955666 on the Red Hat customer portal.
Comment 4 Lukas Vrabec 2014-07-04 06:03:10 EDT
patch sent.
Comment 8 errata-xmlrpc 2014-10-14 03:57:12 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html
Comment 9 Robert Scheck 2014-10-17 12:59:41 EDT
I am sorry, I disagree: selinux-policy-3.7.19-260.el6.noarch together with
nagios-plugins-pgsql-1.4.16-10.el6.x86_64 lead to:

type=AVC msg=audit(1413440001.123:49): avc:  denied  { read } for  pid=7631 comm="check_pgsql" name="tmp" dev=sda2 ino=4194305 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1413440001.123:49): arch=x86_64 syscall=open success=no exit=EACCES a0=330b454f61 a1=0 a2=1b6 a3=0 items=0 ppid=7630 pid=7631 auid=4294967295 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=4294967295 comm=check_pgsql exe=/usr/lib64/nagios/plugins/check_pgsql subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)

Note You need to log in before you can comment on or make changes to this bug.