Bug 1015708 - /usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432
Summary: /usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1250667
TreeView+ depends on / blocked
 
Reported: 2013-10-04 21:29 UTC by Robert Scheck
Modified: 2019-08-15 03:41 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-240.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1250667 (view as bug list)
Environment:
Last Closed: 2014-10-14 07:57:12 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1568 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2014-10-14 01:27:37 UTC

Description Robert Scheck 2013-10-04 21:29:55 UTC 
Description of problem:
/usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432
due to the SELinux policy.

Version-Release number of selected component (if applicable):
nagios-plugins-pgsql-1.4.16-5.el6.x86_64
selinux-policy-3.7.19-195.el6_4.12.noarch

How reproducible:
Everytime, just set up Nagios with check_pgsql to access PostgreSQL via
socket. Nagios check is simply containing:

  command_line    $USER1$/check_pgsql -l $ARG1$ -d $ARG2$

where '$ARG1$' is 'postgres' and '$ARG2$' is 'template1'. This of course is
requiring PostgreSQL to be configured accordingly.

Actual results:
/usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432

Expected results:
/usr/lib64/nagios/plugins/check_pgsql has access to /tmp/.s.PGSQL.5432

Additional info:
allow nagios_t postgresql_tmp_t:sock_file write;
allow nagios_t postgresql_t:unix_stream_socket connectto;
allow nagios_services_plugin_t postgresql_tmp_t:sock_file write;
allow nagios_services_plugin_t postgresql_t:unix_stream_socket connectto;
Comment 1 Robert Scheck 2013-10-04 21:31:26 UTC 
Cross-filed ticket #00955666 on the Red Hat customer portal.
Comment 4 Lukas Vrabec 2014-07-04 10:03:10 UTC 
patch sent.
Comment 8 errata-xmlrpc 2014-10-14 07:57:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html
Comment 9 Robert Scheck 2014-10-17 16:59:41 UTC 
I am sorry, I disagree: selinux-policy-3.7.19-260.el6.noarch together with
nagios-plugins-pgsql-1.4.16-10.el6.x86_64 lead to:

type=AVC msg=audit(1413440001.123:49): avc:  denied  { read } for  pid=7631 comm="check_pgsql" name="tmp" dev=sda2 ino=4194305 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1413440001.123:49): arch=x86_64 syscall=open success=no exit=EACCES a0=330b454f61 a1=0 a2=1b6 a3=0 items=0 ppid=7630 pid=7631 auid=4294967295 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=4294967295 comm=check_pgsql exe=/usr/lib64/nagios/plugins/check_pgsql subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)
Note You need to log in before you can comment on or make changes to this bug.