Bug 1123574 - [SELinux] [RHSC] PNP4Nagios AVC denial - RHEL-7.2
Summary: [SELinux] [RHSC] PNP4Nagios AVC denial - RHEL-7.2
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Depends On:
Blocks: 1169221 1212796 1230292 1238966
TreeView+ depends on / blocked
Reported: 2014-07-26 19:07 UTC by Erinn Looney-Triggs
Modified: 2015-11-19 10:22 UTC (History)
18 users (show)

Fixed In Version: selinux-policy-3.13.1-27.el7
Doc Type: Bug Fix
Doc Text:
When running the Nagios application with the PNP4Nagios module, PNP4Nagios failed to load. With this update, the nagios_run_pnp4nagios Boolean has been introduced to allow Nagios to execute files in the /var/log/nagios/spool/checkresults directory, and PNP4Nagios now loads as expected.
Clone Of:
: 1230292 1238966 (view as bug list)
Last Closed: 2015-11-19 10:22:27 UTC

Attachments (Terms of Use)
pnp4nagios avcs permissive (96.51 KB, text/plain)
2015-04-20 07:44 UTC, Stanislav Graf
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2300 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Description Erinn Looney-Triggs 2014-07-26 19:07:20 UTC
Description of problem:
When running Nagios in conjunction with PNP4Nagios the following occurs:

node=example.com type=SYSCALL msg=audit(1406400987.278:12473): arch=c000003e syscall=9 success=yes exit=140132391223296 a0=0 a1=204190 a2=5 a3=802 items=0 ppid=27618 pid=27626 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="nagios" exe="/usr/sbin/nagios" subj=system_u:system_r:nagios_t:s0 key=(null)
node=example.com type=AVC msg=audit(1406400987.278:12473): avc:  denied  { execute } for  pid=27626 comm="nagios" path="/var/log/nagios/spool/checkresults/nebmod3FcbjN" dev="dm-3" ino=50331818 scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file

Version-Release number of selected component (if applicable):

Needs: allow nagios_t nagios_log_t:file execute;

This causes the PNP4Nagios module to fail to load, and as such no pretty graphs.

Comment 2 Miroslav Grepl 2014-09-01 10:39:38 UTC
Does this executable need to be located in /var/log?

Comment 3 Stanislav Graf 2015-04-20 07:44:49 UTC
Created attachment 1016249 [details]
pnp4nagios avcs permissive

Comment 4 Stanislav Graf 2015-04-20 07:46:40 UTC
We see the issue also on RHEL6 with selinux-policy-3.7.19-260.el6_6.2, see attachment 1016249 [details] for avcs in permissive mode.

Comment 19 Milos Malik 2015-06-12 13:46:25 UTC
# rpm -qa selinux-policy\*
# sesearch -s nagios_t -t nagios_var_lib_t -c dir -p create -D

# sesearch -s nagios_t -t nagios_var_lib_t -c dir -p create -A


Comment 20 RamaKasturi 2015-06-15 07:13:43 UTC
Hi Milos,

   I am seeing another avc with nagios on RHEL 7.1.Here is the avc.

#============= syslogd_t ==============
allow syslogd_t nagios_unconfined_plugin_exec_t:file execute;

#============= nrpe_t ==============
allow nrpe_t device_t:sock_file write;

Attached the logs in the link below.


Comment 21 Milos Malik 2015-06-15 07:35:11 UTC
Please install selinux-policy-3.13.1-27.el7. It fixes a regression introduced by selinux-policy-3.13.1-26.el7 (BZ#1230932).

Comment 25 Stanislav Graf 2015-06-24 19:21:57 UTC
I've retested today with

All works as expected. I saw one new nrpe related issue on one of RHEL6 nodes, created Bug 1235405.

I had following booleans status on nagios server node:
nagios_run_pnp4nagios --> on
nagios_run_sudo --> on

and following on monitored node:
nagios_run_pnp4nagios --> off
nagios_run_sudo --> on

Comment 31 errata-xmlrpc 2015-11-19 10:22:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.