Bug 1198436 - [SELinux] [Nagios] Selinux blocks gluster-nagios plugins in the nagios server - RHEL-6.7
Summary: [SELinux] [Nagios] Selinux blocks gluster-nagios plugins in the nagios server...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.8
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Simon Sekidde
QA Contact: Milos Malik
URL:
Whiteboard:
: 1198439 (view as bug list)
Depends On:
Blocks: 1169221 1212796 1222493
TreeView+ depends on / blocked
 
Reported: 2015-03-04 06:53 UTC by Timothy Asir
Modified: 2015-07-22 07:12 UTC (History)
16 users (show)

Fixed In Version: selinux-policy-3.7.19-268.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1222493 (view as bug list)
Environment:
Last Closed: 2015-07-22 07:12:10 UTC


Attachments (Terms of Use)
avc from gluster server (nagios client) (136.17 KB, text/plain)
2015-04-03 10:50 UTC, Stanislav Graf
no flags Details
avc from nagios server (5.28 KB, text/plain)
2015-04-03 10:51 UTC, Stanislav Graf
no flags Details
avc from gluster server (nagios client) permissive (14.23 KB, text/plain)
2015-04-20 07:28 UTC, Stanislav Graf
no flags Details
avc from nagios server permissive (61.02 KB, text/plain)
2015-04-20 07:29 UTC, Stanislav Graf
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1375 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2015-07-20 18:07:47 UTC
Red Hat Bugzilla 1223710 None None None Never

Internal Links: 1223710

Description Timothy Asir 2015-03-04 06:53:43 UTC
Description of problem:
Selinux blocks gluster-nagios plugins in the nagios server.

How reproducible:
Always

Steps to Reproduce:
1) Install gluster nagios server and add few glusterfs node and configure
manually or using auto discovery script in an selinux enabled system.
   One can use the following steps to quickly create the environment.
    i) Install gluster-nagios-common and nagios-server-addons in nagios-server
   ii) Add nagios server ip address into allowed_host entry in every
       gluster node(s) in /etc/nagios/nrpe.cfg
2) Create few gluster volumes in the nodes
3) Configure the plugins. One can run auto discovery script to configure 
   automatically. Script file: /usr/lib64/nagios/plugins/gluster/discovery.py
4) Check for Volume Status and Volume Utilization

Actual results:
Status information of the plugin services shows null. 

Expected results:
It should display the actual status and utilization of the volume.

Additional info:
It works when we enable the selinux policy in the server as follows:

module mypol 1.0;

require {
        type nagios_log_t;
        type hostname_exec_t;
        type glusterd_t;
        type glusterd_var_lib_t;
        type nagios_t;
        type tmp_t;
        type logrotate_t;
        type nrpe_t;
        type sudo_exec_t;
        type virt_cache_t;
        class dir read;
        class key { write setattr };
        class file { execute getattr execute_no_trans };
}

#============= glusterd_t ==============

#!!!! This avc is allowed in the current policy
allow glusterd_t glusterd_var_lib_t:file { execute execute_no_trans };

#!!!! This avc is allowed in the current policy
allow glusterd_t hostname_exec_t:file { execute execute_no_trans };

#============= logrotate_t ==============
allow logrotate_t virt_cache_t:dir read;

#============= nagios_t ==============
allow nagios_t nagios_log_t:file execute;

#!!!! This avc is allowed in the current policy
allow nagios_t sudo_exec_t:file getattr;

#============= nrpe_t ==============
allow nrpe_t self:key { write setattr };
allow nrpe_t tmp_t:dir read;

Comment 2 Milos Malik 2015-03-10 10:28:27 UTC
Could you provide the list of denials?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Comment 4 Miroslav Grepl 2015-04-03 09:31:56 UTC
What does

$ matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py

on your system?

Comment 5 Miroslav Grepl 2015-04-03 09:32:10 UTC
*** Bug 1198439 has been marked as a duplicate of this bug. ***

Comment 6 Stanislav Graf 2015-04-03 10:50:37 UTC
Created attachment 1010595 [details]
avc from gluster server (nagios client)

Comment 7 Stanislav Graf 2015-04-03 10:51:04 UTC
Created attachment 1010596 [details]
avc from nagios server

Comment 8 Stanislav Graf 2015-04-03 10:52:54 UTC
gluster server
--------------
# matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py
/usr/lib64/nagios/plugins/gluster/discovery.py	system_u:object_r:nagios_unconfined_plugin_exec_t:s0
# rpm -qa 'selinux*' |sort
selinux-policy-3.7.19-260.el6_6.2.noarch
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch

nagios server
-------------
# matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py
/usr/lib64/nagios/plugins/gluster/discovery.py	system_u:object_r:nagios_unconfined_plugin_exec_t:s0
# rpm -qa 'selinux*' |sort
selinux-policy-3.7.19-260.el6_6.2.noarch
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch

Comment 9 Miroslav Grepl 2015-04-12 09:21:36 UTC
Could you please add AVC msgs from permissive mode?

Comment 10 Miroslav Grepl 2015-04-12 09:23:28 UTC
Also could we label

/var/lib/glusterd/hooks/1/set/post/S30samba-set.sh

as bin_t. 

Is /var/lib/glusterd/hooks writeable by glusterd?

Comment 11 Sahina Bose 2015-04-17 06:33:32 UTC
/var/lib/glusterd/hooks/ - is not related to the gluster-nagios rpms, but glusterfs rpms. So this is mostly part of a different bug?

Comment 12 Stanislav Graf 2015-04-20 07:28:37 UTC
Created attachment 1016244 [details]
avc from gluster server (nagios client) permissive

Comment 13 Stanislav Graf 2015-04-20 07:29:07 UTC
Created attachment 1016245 [details]
avc from nagios server permissive

Comment 14 Stanislav Graf 2015-04-20 07:31:25 UTC
avc from gluster server (nagios client) permissive
--------------------------------------------------
# ausearch -m avc -m user_avc -m selinux_err -i -ts today | audit2allow 


#============= nrpe_t ==============
allow nrpe_t self:key { write setattr };



avc from nagios server permissive
---------------------------------
# ausearch -m avc -m user_avc -m selinux_err -i -ts today | audit2allow 


#============= nagios_t ==============
allow nagios_t nagios_log_t:file execute;
allow nagios_t self:capability { sys_resource sys_ptrace audit_write };
allow nagios_t self:key write;
allow nagios_t self:netlink_audit_socket { nlmsg_relay create };
allow nagios_t self:process { setsched setrlimit };
allow nagios_t sudo_exec_t:file { read getattr open execute execute_no_trans };

Comment 15 Milos Malik 2015-04-20 08:58:52 UTC
We changed the label on following files and the problem (nrpe executes a script and the script executes sudo which generates AVCs) went away:

# cd /usr/lib64/nagios/plugins
# chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh

Comment 16 Miroslav Grepl 2015-04-22 09:15:13 UTC
(In reply to Milos Malik from comment #15)
> We changed the label on following files and the problem (nrpe executes a
> script and the script executes sudo which generates AVCs) went away:
> 
> # cd /usr/lib64/nagios/plugins
> # chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh

Ok are these scripts called by nagios by default?

Comment 17 Miroslav Grepl 2015-04-22 12:51:38 UTC
Ok we have

/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins/urlize  --  gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins/utils.pm  --  gen_context(system_u:object_r:bin_t,s0)

Comment 18 Milos Malik 2015-04-22 14:58:49 UTC
additional information to comment#10:

# ls -l /var/lib/glusterd/hooks/1/set/post/
total 12
-rwxr--r--. 1 root root 4010 Mar 18 12:32 S30samba-set.sh
-rwxr--r--. 1 root root 7927 Mar 18 12:32 S31ganesha-set.sh
# rpm -qf /var/lib/glusterd/hooks/1/set/post/*
glusterfs-server-3.6.0.53-1.el6rhs.x86_64
glusterfs-server-3.6.0.53-1.el6rhs.x86_64
#

Comment 19 Miroslav Grepl 2015-05-13 14:57:56 UTC
(In reply to Milos Malik from comment #15)
> We changed the label on following files and the problem (nrpe executes a
> script and the script executes sudo which generates AVCs) went away:
> 
> # cd /usr/lib64/nagios/plugins
> # chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh

Not sure if it is a correct solution. These scripts are not plugins.

We probably will need to add 

nagios_run_sudo

boolean.

Comment 22 Miroslav Grepl 2015-05-19 10:28:19 UTC
commit 4b8ebda67993924d12bd39131846124ac67bef61
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue May 19 12:19:41 2015 +0200

    Update nagios_run_sudo boolean to allow run chkpwd.

Comment 23 Miroslav Grepl 2015-05-19 13:26:15 UTC
Could you please test it with

https://brewweb.devel.redhat.com/taskinfo?taskID=9198180

Comment 26 Stanislav Graf 2015-05-21 09:55:06 UTC
Retested both Bug 1198436 and Bug 1113481.

I had following configuration on Nagios server and client / monitored node:
# getenforce
Enforcing
# getsebool nagios_run_sudo
nagios_run_sudo --> on
# rpm -qa 'selinux-policy*'
selinux-policy-targeted-3.7.19-268.el6.noarch
selinux-policy-3.7.19-268.el6.noarch

All works as expected. This selinux-policy build (together with nagios_run_sudo boolean) fixes the issue for RH-Gluster + Nagios usecase.

To accomodate new Selinux boolean into our workflow, I've created Bug 1223710.

Comment 29 errata-xmlrpc 2015-07-22 07:12:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html


Note You need to log in before you can comment on or make changes to this bug.