[nagios] Selinux violation caused by nrpe which trying to run df command on /var/ Version ======= rhos Grizzly on rhel 6.4, puddle 2013-11-01.1 nrpe-2.14-1.el6ost.x86_64 openstack-selinux-0.1.2-10.el6ost.noarch Description =========== The following selinux policy violations were found in /var/log/messages, probably caused by the following line from /etc/nagios/nrpe.cfg: command[df_var]=df /var/ | sed -re 's/.* ([0-9]+)%.*/\1/' | grep -E '^[0-9]' Nov 4 03:37:14 puma07 kernel: type=1400 audit(1383529034.042:121204): avc: denied { read } for pid=9303 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 03:47:14 puma07 kernel: type=1400 audit(1383529634.169:121205): avc: denied { read } for pid=1362 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 03:57:14 puma07 kernel: type=1400 audit(1383530234.050:121206): avc: denied { read } for pid=5273 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 04:07:14 puma07 kernel: type=1400 audit(1383530834.219:121207): avc: denied { read } for pid=8470 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 04:17:14 puma07 kernel: type=1400 audit(1383531434.078:121208): avc: denied { read } for pid=11562 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 04:27:14 puma07 kernel: type=1400 audit(1383532034.024:121209): avc: denied { read } for pid=15458 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 04:37:14 puma07 kernel: type=1400 audit(1383532634.140:121210): avc: denied { read } for pid=18520 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 04:47:14 puma07 kernel: type=1400 audit(1383533234.222:121211): avc: denied { read } for pid=21590 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 04:57:14 puma07 kernel: type=1400 audit(1383533834.170:121212): avc: denied { read } for pid=25477 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 05:07:14 puma07 kernel: type=1400 audit(1383534434.026:121213): avc: denied { read } for pid=28575 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 05:17:14 puma07 kernel: type=1400 audit(1383535034.159:121214): avc: denied { read } for pid=31640 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 05:27:14 puma07 kernel: type=1400 audit(1383535634.098:121215): avc: denied { read } for pid=3121 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 05:37:14 puma07 kernel: type=1400 audit(1383536234.148:121216): avc: denied { read } for pid=6183 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 05:47:14 puma07 kernel: type=1400 audit(1383536834.229:121217): avc: denied { read } for pid=9399 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 05:57:14 puma07 kernel: type=1400 audit(1383537434.141:121218): avc: denied { read } for pid=13313 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Nov 4 06:07:14 puma07 kernel: type=1400 audit(1383538034.064:121219): avc: denied { read } for pid=16384 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
#============= nrpe_t ============== #!!!! This avc is allowed in the current policy allow nrpe_t var_t:dir read; Should be a part of the latest RHEL6.5 builds.
(In reply to Miroslav Grepl from comment #2) > #============= nrpe_t ============== > > #!!!! This avc is allowed in the current policy > allow nrpe_t var_t:dir read; > > Should be a part of the latest RHEL6.5 builds. As I stated above, this was found in rhel 6.4
What's more is that this just appeared -- and compared to the last test run, no packages related to nagios or nrpe have changed. So, I'm not clear as to why this would happen.
This is fixed in the updated selinux-policy package from RHEL 6.5.