Bug 1052740 - SELinux is preventing check_log via NRPE from read and open var_log_t files
Summary: SELinux is preventing check_log via NRPE from read and open var_log_t files
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nagios-plugins
Version: el6
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Ohad Levy
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-13 23:56 UTC by Magnus K Karlsson
Modified: 2017-08-10 06:19 UTC (History)
4 users (show)

Fixed In Version: nagios-plugins-2.2.1-3git.fc24 nagios-plugins-2.2.1-4git.fc26 nagios-plugins-2.2.1-4git.el7 nagios-plugins-2.2.1-3git.fc25 nagios-plugins-2.2.1-4git.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-23 21:50:56 UTC


Attachments (Terms of Use)

Description Magnus K Karlsson 2014-01-13 23:56:25 UTC
Description of problem:
Getting SELinux alerts when calling check_log via NRPE.

Agent:
command[check_jboss_log]=/usr/lib64/nagios/plugins/check_log -F /var/log/jbossas/standalone/server.log -O /tmp/check_log.old -q WARN

Nagios Server:
sudo -u nagios /usr/lib64/nagios/plugins/check_nrpe -H 192.168.122.196 -c check_jboss_log

------------------------
/var/log/audit/audit.log
------------------------
type=AVC msg=audit(1389653788.715:23): avc:  denied  { read } for  pid=1240 comm="check_log" name="server.log" dev=dm-0 ino=527521 scontext=unconfined_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1389653788.715:23): arch=c000003e syscall=21 success=yes exit=0 a0=1763250 a1=4 a2=0 a3=8 items=0 ppid=1239 pid=1240 auid=0 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=1 comm="check_log" exe="/bin/bash" subj=unconfined_u:system_r:nagios_system_plugin_t:s0 key=(null)
type=AVC msg=audit(1389653788.724:24): avc:  denied  { open } for  pid=1246 comm="diff" name="server.log" dev=dm-0 ino=527521 scontext=unconfined_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1389653788.724:24): arch=c000003e syscall=2 success=yes exit=3 a0=7fff11524f22 a1=0 a2=0 a3=7fff11522c40 items=0 ppid=1240 pid=1246 auid=0 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=1 comm="diff" exe="/usr/bin/diff" subj=unconfined_u:system_r:nagios_system_plugin_t:s0 key=(null)

------------------------
/var/log/messages
------------------------
Jan 13 23:56:31 virtual1 setroubleshoot: SELinux is preventing /bin/bash from read access on the file server.log. For complete SELinux messages. run sealert -l b43a31aa-2e78-4c5b-a7a4-c45955579678
Jan 13 23:56:31 virtual1 setroubleshoot: SELinux is preventing /usr/bin/diff from open access on the file server.log. For complete SELinux messages. run sealert -l c4008235-bcfe-4fe2-8e84-c3093b0052f4

------------------------
# sealert -l b43a31aa-2e78-4c5b-a7a4-c45955579678
------------------------
SELinux is preventing /bin/bash from read access on the file server.log.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed read access on the server.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep check_log /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Set SELinux to Permissive

------------------------
# sealert -l c4008235-bcfe-4fe2-8e84-c3093b0052f4
------------------------
SELinux is preventing /usr/bin/diff from open access on the file server.log.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that diff should be allowed open access on the server.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep diff /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

------------------------
grep diff /var/log/audit/audit.log | audit2allow -M mycheck_log
------------------------
module mycheck_log 1.0;

require {
	type nagios_system_plugin_t;
	type var_log_t;
	class file read;
}

------------------------
grep check_log /var/log/audit/audit.log | audit2allow -M mydiff
------------------------
module mydiff 1.0;

require {
	type nagios_system_plugin_t;
	type var_log_t;
	class file open;
}

------------------------

Steps to Reproduce:
1. rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
2. yum install nagios-plugins-log-1.4.16-10.el6.x86_64
3. Configure check_log: command[check_jboss_log]=/usr/lib64/nagios/plugins/check_log -F /var/log/jbossas/standalone/server.log -O /tmp/check_log.old -q WARN
3. On client: setenforce Permissive
4. From Nagios Core Server: sudo -u nagios /usr/lib64/nagios/plugins/check_nrpe -H 192.168.122.196 -c check_jboss_log

Actual results:
Description of problem

Expected results:
SELinux Policy should handle var_log_t

Additional info:
# lsb_release -a
LSB Version:	:base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID:	RedHatEnterpriseServer
Description:	Red Hat Enterprise Linux Server release 6.5 (Santiago)
Release:	6.5
Codename:	Santiago

# uname -a
Linux virtual2.example.com 2.6.32-431.3.1.el6.x86_64 #1 SMP Fri Dec 13 06:58:20 EST 2013 x86_64 x86_64 x86_64 GNU/Linux

EPEL installation:
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Nagios NRPE RPM Installation:
nrpe.x86_64                            2.14-5.el6                          @epel

Nagios Core RPM Installation:
nagios.x86_64                      3.5.1-1.el6             @epel 

# diff nrpe.cfg nrpe.cfg.org 
81c81
< allowed_hosts=127.0.0.1,192.168.122.93
---
> allowed_hosts=127.0.0.1
138d137
< command[check_jboss_log]=/usr/lib64/nagios/plugins/check_log -F /var/log/jbossas/standalone/server.log -O /tmp/check_log.old -q WARN

# ll -Z /usr/lib64/nagios/plugins/check_log
-rwxr-xr-x. root root system_u:object_r:nagios_system_plugin_exec_t:s0 /usr/lib64/nagios/plugins/check_log

Comment 2 Fedora Update System 2017-07-03 20:55:02 UTC
nagios-plugins-2.2.1-2git.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30

Comment 3 Fedora Update System 2017-07-06 02:48:34 UTC
nagios-plugins-2.2.1-2git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-62fe0218d0

Comment 4 Fedora Update System 2017-07-06 02:49:49 UTC
nagios-plugins-2.2.1-2git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30

Comment 5 Fedora Update System 2017-07-12 20:30:54 UTC
nagios-plugins-2.2.1-3git.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9

Comment 6 Fedora Update System 2017-07-13 19:49:27 UTC
nagios-plugins-2.2.1-3git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9

Comment 7 Fedora Update System 2017-07-13 19:50:29 UTC
nagios-plugins-2.2.1-3git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4b1c55c024

Comment 8 Fedora Update System 2017-07-13 21:21:21 UTC
nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6401b28fc4

Comment 9 Fedora Update System 2017-07-13 21:23:41 UTC
nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8d031793bf

Comment 10 Fedora Update System 2017-07-13 23:53:50 UTC
nagios-plugins-2.2.1-3git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a5f81422dc

Comment 11 Fedora Update System 2017-07-14 18:57:43 UTC
nagios-plugins-2.2.1-4git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3

Comment 12 Fedora Update System 2017-07-16 21:21:00 UTC
nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3

Comment 13 Fedora Update System 2017-07-23 04:18:23 UTC
nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-8973027f42

Comment 14 Fedora Update System 2017-07-23 04:22:54 UTC
nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-87ebfdc686

Comment 15 Fedora Update System 2017-07-23 21:50:56 UTC
nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2017-08-03 15:52:33 UTC
nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2017-08-09 15:22:32 UTC
nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2017-08-09 19:56:49 UTC
nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2017-08-10 06:19:51 UTC
nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.