Description of problem: Getting SELinux alerts when calling check_log via NRPE. Agent: command[check_jboss_log]=/usr/lib64/nagios/plugins/check_log -F /var/log/jbossas/standalone/server.log -O /tmp/check_log.old -q WARN Nagios Server: sudo -u nagios /usr/lib64/nagios/plugins/check_nrpe -H 192.168.122.196 -c check_jboss_log ------------------------ /var/log/audit/audit.log ------------------------ type=AVC msg=audit(1389653788.715:23): avc: denied { read } for pid=1240 comm="check_log" name="server.log" dev=dm-0 ino=527521 scontext=unconfined_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1389653788.715:23): arch=c000003e syscall=21 success=yes exit=0 a0=1763250 a1=4 a2=0 a3=8 items=0 ppid=1239 pid=1240 auid=0 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=1 comm="check_log" exe="/bin/bash" subj=unconfined_u:system_r:nagios_system_plugin_t:s0 key=(null) type=AVC msg=audit(1389653788.724:24): avc: denied { open } for pid=1246 comm="diff" name="server.log" dev=dm-0 ino=527521 scontext=unconfined_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1389653788.724:24): arch=c000003e syscall=2 success=yes exit=3 a0=7fff11524f22 a1=0 a2=0 a3=7fff11522c40 items=0 ppid=1240 pid=1246 auid=0 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=1 comm="diff" exe="/usr/bin/diff" subj=unconfined_u:system_r:nagios_system_plugin_t:s0 key=(null) ------------------------ /var/log/messages ------------------------ Jan 13 23:56:31 virtual1 setroubleshoot: SELinux is preventing /bin/bash from read access on the file server.log. For complete SELinux messages. run sealert -l b43a31aa-2e78-4c5b-a7a4-c45955579678 Jan 13 23:56:31 virtual1 setroubleshoot: SELinux is preventing /usr/bin/diff from open access on the file server.log. For complete SELinux messages. run sealert -l c4008235-bcfe-4fe2-8e84-c3093b0052f4 ------------------------ # sealert -l b43a31aa-2e78-4c5b-a7a4-c45955579678 ------------------------ SELinux is preventing /bin/bash from read access on the file server.log. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed read access on the server.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep check_log /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Set SELinux to Permissive ------------------------ # sealert -l c4008235-bcfe-4fe2-8e84-c3093b0052f4 ------------------------ SELinux is preventing /usr/bin/diff from open access on the file server.log. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that diff should be allowed open access on the server.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep diff /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ------------------------ grep diff /var/log/audit/audit.log | audit2allow -M mycheck_log ------------------------ module mycheck_log 1.0; require { type nagios_system_plugin_t; type var_log_t; class file read; } ------------------------ grep check_log /var/log/audit/audit.log | audit2allow -M mydiff ------------------------ module mydiff 1.0; require { type nagios_system_plugin_t; type var_log_t; class file open; } ------------------------ Steps to Reproduce: 1. rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm 2. yum install nagios-plugins-log-1.4.16-10.el6.x86_64 3. Configure check_log: command[check_jboss_log]=/usr/lib64/nagios/plugins/check_log -F /var/log/jbossas/standalone/server.log -O /tmp/check_log.old -q WARN 3. On client: setenforce Permissive 4. From Nagios Core Server: sudo -u nagios /usr/lib64/nagios/plugins/check_nrpe -H 192.168.122.196 -c check_jboss_log Actual results: Description of problem Expected results: SELinux Policy should handle var_log_t Additional info: # lsb_release -a LSB Version: :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch Distributor ID: RedHatEnterpriseServer Description: Red Hat Enterprise Linux Server release 6.5 (Santiago) Release: 6.5 Codename: Santiago # uname -a Linux virtual2.example.com 2.6.32-431.3.1.el6.x86_64 #1 SMP Fri Dec 13 06:58:20 EST 2013 x86_64 x86_64 x86_64 GNU/Linux EPEL installation: rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm Nagios NRPE RPM Installation: nrpe.x86_64 2.14-5.el6 @epel Nagios Core RPM Installation: nagios.x86_64 3.5.1-1.el6 @epel # diff nrpe.cfg nrpe.cfg.org 81c81 < allowed_hosts=127.0.0.1,192.168.122.93 --- > allowed_hosts=127.0.0.1 138d137 < command[check_jboss_log]=/usr/lib64/nagios/plugins/check_log -F /var/log/jbossas/standalone/server.log -O /tmp/check_log.old -q WARN # ll -Z /usr/lib64/nagios/plugins/check_log -rwxr-xr-x. root root system_u:object_r:nagios_system_plugin_exec_t:s0 /usr/lib64/nagios/plugins/check_log
nagios-plugins-2.2.1-2git.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30
nagios-plugins-2.2.1-2git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-62fe0218d0
nagios-plugins-2.2.1-2git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30
nagios-plugins-2.2.1-3git.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9
nagios-plugins-2.2.1-3git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9
nagios-plugins-2.2.1-3git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4b1c55c024
nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6401b28fc4
nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8d031793bf
nagios-plugins-2.2.1-3git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a5f81422dc
nagios-plugins-2.2.1-4git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3
nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3
nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-8973027f42
nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-87ebfdc686
nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.