Bug 1156557 - [nagios_system_plugin_t] SELinux is preventing check_procs from getattr access on the file /usr/sbin/nrpe.
Summary: [nagios_system_plugin_t] SELinux is preventing check_procs from getattr acces...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-24 16:32 UTC by Juan Orti Alcaine
Modified: 2015-01-30 23:54 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-105.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-30 23:54:25 UTC
Type: Bug


Attachments (Terms of Use)

Description Juan Orti Alcaine 2014-10-24 16:32:39 UTC
SELinux is preventing check_procs from getattr access on the file /usr/sbin/nrpe.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that check_procs should be allowed getattr access on the nrpe file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep check_procs /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:nagios_system_plugin_t:s0
Target Context                system_u:object_r:nrpe_exec_t:s0
Target Objects                /usr/sbin/nrpe [ file ]
Source                        check_procs
Source Path                   check_procs
Port                          <Unknown>
Host                          foo.example.com
Source RPM Packages           
Target RPM Packages           nrpe-2.15-4.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-88.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     foo.example.com
Platform                      Linux foo.example.com 3.17.0-301.fc21.x86_64 #1
                              SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-24 11:53:54 CEST
Last Seen                     2014-10-24 11:53:54 CEST
Local ID                      bb1f6817-6b11-4afc-a6f1-4741edd5f33c

Raw Audit Messages
type=AVC msg=audit(1414144434.311:9481): avc:  denied  { getattr } for  pid=28319 comm="check_procs" path="/usr/sbin/nrpe" dev="sda4" ino=95844 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:nrpe_exec_t:s0 tclass=file permissive=0


Hash: check_procs,nagios_system_plugin_t,nrpe_exec_t,file,getattr

----------------

SELinux is preventing check_procs from getattr access on the file /usr/lib64/nagios/plugins/check_ntp_time.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that check_procs should be allowed getattr access on the check_ntp_time file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep check_procs /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:nagios_system_plugin_t:s0
Target Context                system_u:object_r:nagios_services_plugin_exec_t:s0
Target Objects                /usr/lib64/nagios/plugins/check_ntp_time [ file ]
Source                        check_procs
Source Path                   check_procs
Port                          <Unknown>
Host                          srv01.miceliux.com
Source RPM Packages           
Target RPM Packages           nagios-plugins-ntp-2.0.1-2.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-88.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     srv01.miceliux.com
Platform                      Linux srv01.miceliux.com 3.17.0-301.fc21.x86_64 #1
                              SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-24 11:53:54 CEST
Last Seen                     2014-10-24 11:53:54 CEST
Local ID                      b500464e-6c32-4de7-b382-24072d0ffded

Raw Audit Messages
type=AVC msg=audit(1414144434.314:9486): avc:  denied  { getattr } for  pid=28319 comm="check_procs" path="/usr/lib64/nagios/plugins/check_ntp_time" dev="sda4" ino=96526 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:nagios_services_plugin_exec_t:s0 tclass=file permissive=0


Hash: check_procs,nagios_system_plugin_t,nagios_services_plugin_exec_t,file,getattr

Comment 1 Ruben Kerkhof 2014-12-09 18:24:26 UTC
I just hit the same issue on EPEL 7.
Turns out that check_procs tries to do a stat on /proc/%d/exe.

The code is in check_procs.c in nagios_plugins

Comment 2 Daniel Walsh 2015-01-02 16:04:01 UTC
161d1224f43b7bd3e9ba080a2d1ad59c7763732d fixes this in git.

Comment 3 Fedora Update System 2015-01-27 16:48:59 UTC
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21

Comment 4 Fedora Update System 2015-01-30 04:31:57 UTC
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2015-01-30 23:54:25 UTC
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.