Bug 1026150 - [nagios] Selinux violation caused by nrpe which trying to run "df" command on /var/
Summary: [nagios] Selinux violation caused by nrpe which trying to run "df" command on...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: async
: 4.0
Assignee: Lon Hohberger
QA Contact: Ami Jeain
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-04 04:34 UTC by Rami Vaknin
Modified: 2016-04-26 22:21 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-03 22:01:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Rami Vaknin 2013-11-04 04:34:50 UTC 
[nagios] Selinux violation caused by nrpe which trying to run df command on /var/

Version
=======
rhos Grizzly on rhel 6.4, puddle 2013-11-01.1
nrpe-2.14-1.el6ost.x86_64
openstack-selinux-0.1.2-10.el6ost.noarch


Description
===========
The following selinux policy violations were found in /var/log/messages, probably caused by the following line from /etc/nagios/nrpe.cfg:
command[df_var]=df /var/ | sed -re 's/.* ([0-9]+)%.*/\1/' | grep -E '^[0-9]'


Nov  4 03:37:14 puma07 kernel: type=1400 audit(1383529034.042:121204): avc:  denied  { read } for  pid=9303 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 03:47:14 puma07 kernel: type=1400 audit(1383529634.169:121205): avc:  denied  { read } for  pid=1362 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 03:57:14 puma07 kernel: type=1400 audit(1383530234.050:121206): avc:  denied  { read } for  pid=5273 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 04:07:14 puma07 kernel: type=1400 audit(1383530834.219:121207): avc:  denied  { read } for  pid=8470 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 04:17:14 puma07 kernel: type=1400 audit(1383531434.078:121208): avc:  denied  { read } for  pid=11562 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 04:27:14 puma07 kernel: type=1400 audit(1383532034.024:121209): avc:  denied  { read } for  pid=15458 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 04:37:14 puma07 kernel: type=1400 audit(1383532634.140:121210): avc:  denied  { read } for  pid=18520 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 04:47:14 puma07 kernel: type=1400 audit(1383533234.222:121211): avc:  denied  { read } for  pid=21590 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 04:57:14 puma07 kernel: type=1400 audit(1383533834.170:121212): avc:  denied  { read } for  pid=25477 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 05:07:14 puma07 kernel: type=1400 audit(1383534434.026:121213): avc:  denied  { read } for  pid=28575 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 05:17:14 puma07 kernel: type=1400 audit(1383535034.159:121214): avc:  denied  { read } for  pid=31640 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 05:27:14 puma07 kernel: type=1400 audit(1383535634.098:121215): avc:  denied  { read } for  pid=3121 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 05:37:14 puma07 kernel: type=1400 audit(1383536234.148:121216): avc:  denied  { read } for  pid=6183 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 05:47:14 puma07 kernel: type=1400 audit(1383536834.229:121217): avc:  denied  { read } for  pid=9399 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 05:57:14 puma07 kernel: type=1400 audit(1383537434.141:121218): avc:  denied  { read } for  pid=13313 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Nov  4 06:07:14 puma07 kernel: type=1400 audit(1383538034.064:121219): avc:  denied  { read } for  pid=16384 comm="df" name="var" dev=dm-0 ino=18612225 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Comment 2 Miroslav Grepl 2013-11-04 10:38:11 UTC 
#============= nrpe_t ==============

#!!!! This avc is allowed in the current policy
allow nrpe_t var_t:dir read;

Should be a part of the latest RHEL6.5 builds.
Comment 3 Rami Vaknin 2013-11-04 10:43:32 UTC 
(In reply to Miroslav Grepl from comment #2)
> #============= nrpe_t ==============
> 
> #!!!! This avc is allowed in the current policy
> allow nrpe_t var_t:dir read;
> 
> Should be a part of the latest RHEL6.5 builds.

As I stated above, this was found in rhel 6.4
Comment 4 Lon Hohberger 2013-11-04 14:19:09 UTC 
What's more is that this just appeared -- and compared to the last test run, no packages related to nagios or nrpe have changed.

So, I'm not clear as to why this would happen.
Comment 9 Lon Hohberger 2013-12-03 22:01:24 UTC 
This is fixed in the updated selinux-policy package from RHEL 6.5.
Note You need to log in before you can comment on or make changes to this bug.