1198436 – [SELinux] [Nagios] Selinux blocks gluster-nagios plugins in the nagios server - RHEL-6.7

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1198436 - [SELinux] [Nagios] Selinux blocks gluster-nagios plugins in the nagios server - RHEL-6.7

Summary: [SELinux] [Nagios] Selinux blocks gluster-nagios plugins in the nagios server...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.8
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Simon Sekidde
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1198439 (view as bug list)
Depends On:
Blocks:	1169221 1212796 1222493
TreeView+	depends on / blocked

Reported:	2015-03-04 06:53 UTC by Timothy Asir
Modified:	2015-07-22 07:12 UTC (History)
CC List:	16 users (show)
Fixed In Version:	selinux-policy-3.7.19-268.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1222493 (view as bug list)
Environment:
Last Closed:	2015-07-22 07:12:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
avc from gluster server (nagios client) (136.17 KB, text/plain) 2015-04-03 10:50 UTC, Stanislav Graf	no flags	Details
avc from nagios server (5.28 KB, text/plain) 2015-04-03 10:51 UTC, Stanislav Graf	no flags	Details
avc from gluster server (nagios client) permissive (14.23 KB, text/plain) 2015-04-20 07:28 UTC, Stanislav Graf	no flags	Details
avc from nagios server permissive (61.02 KB, text/plain) 2015-04-20 07:29 UTC, Stanislav Graf	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1223710	0	high	CLOSED	[SELinux] [RFE] Enable nagios_run_sudo boolean	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2015:1375	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-07-20 18:07:47 UTC

Internal Links: 1223710

Description Timothy Asir 2015-03-04 06:53:43 UTC

Description of problem:
Selinux blocks gluster-nagios plugins in the nagios server.

How reproducible:
Always

Steps to Reproduce:
1) Install gluster nagios server and add few glusterfs node and configure
manually or using auto discovery script in an selinux enabled system.
   One can use the following steps to quickly create the environment.
    i) Install gluster-nagios-common and nagios-server-addons in nagios-server
   ii) Add nagios server ip address into allowed_host entry in every
       gluster node(s) in /etc/nagios/nrpe.cfg
2) Create few gluster volumes in the nodes
3) Configure the plugins. One can run auto discovery script to configure 
   automatically. Script file: /usr/lib64/nagios/plugins/gluster/discovery.py
4) Check for Volume Status and Volume Utilization

Actual results:
Status information of the plugin services shows null. 

Expected results:
It should display the actual status and utilization of the volume.

Additional info:
It works when we enable the selinux policy in the server as follows:

module mypol 1.0;

require {
        type nagios_log_t;
        type hostname_exec_t;
        type glusterd_t;
        type glusterd_var_lib_t;
        type nagios_t;
        type tmp_t;
        type logrotate_t;
        type nrpe_t;
        type sudo_exec_t;
        type virt_cache_t;
        class dir read;
        class key { write setattr };
        class file { execute getattr execute_no_trans };
}

#============= glusterd_t ==============

#!!!! This avc is allowed in the current policy
allow glusterd_t glusterd_var_lib_t:file { execute execute_no_trans };

#!!!! This avc is allowed in the current policy
allow glusterd_t hostname_exec_t:file { execute execute_no_trans };

#============= logrotate_t ==============
allow logrotate_t virt_cache_t:dir read;

#============= nagios_t ==============
allow nagios_t nagios_log_t:file execute;

#!!!! This avc is allowed in the current policy
allow nagios_t sudo_exec_t:file getattr;

#============= nrpe_t ==============
allow nrpe_t self:key { write setattr };
allow nrpe_t tmp_t:dir read;

Comment 2 Milos Malik 2015-03-10 10:28:27 UTC

Could you provide the list of denials?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Comment 4 Miroslav Grepl 2015-04-03 09:31:56 UTC

What does

$ matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py

on your system?

Comment 5 Miroslav Grepl 2015-04-03 09:32:10 UTC

*** Bug 1198439 has been marked as a duplicate of this bug. ***

Comment 6 Stanislav Graf 2015-04-03 10:50:37 UTC

Created attachment 1010595 [details]
avc from gluster server (nagios client)

Comment 7 Stanislav Graf 2015-04-03 10:51:04 UTC

Created attachment 1010596 [details]
avc from nagios server

Comment 8 Stanislav Graf 2015-04-03 10:52:54 UTC

gluster server
--------------
# matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py
/usr/lib64/nagios/plugins/gluster/discovery.py	system_u:object_r:nagios_unconfined_plugin_exec_t:s0
# rpm -qa 'selinux*' |sort
selinux-policy-3.7.19-260.el6_6.2.noarch
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch

nagios server
-------------
# matchpathcon /usr/lib64/nagios/plugins/gluster/discovery.py
/usr/lib64/nagios/plugins/gluster/discovery.py	system_u:object_r:nagios_unconfined_plugin_exec_t:s0
# rpm -qa 'selinux*' |sort
selinux-policy-3.7.19-260.el6_6.2.noarch
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch

Comment 9 Miroslav Grepl 2015-04-12 09:21:36 UTC

Could you please add AVC msgs from permissive mode?

Comment 10 Miroslav Grepl 2015-04-12 09:23:28 UTC

Also could we label

/var/lib/glusterd/hooks/1/set/post/S30samba-set.sh

as bin_t. 

Is /var/lib/glusterd/hooks writeable by glusterd?

Comment 11 Sahina Bose 2015-04-17 06:33:32 UTC

/var/lib/glusterd/hooks/ - is not related to the gluster-nagios rpms, but glusterfs rpms. So this is mostly part of a different bug?

Comment 12 Stanislav Graf 2015-04-20 07:28:37 UTC

Created attachment 1016244 [details]
avc from gluster server (nagios client) permissive

Comment 13 Stanislav Graf 2015-04-20 07:29:07 UTC

Created attachment 1016245 [details]
avc from nagios server permissive

Comment 14 Stanislav Graf 2015-04-20 07:31:25 UTC

avc from gluster server (nagios client) permissive
--------------------------------------------------
# ausearch -m avc -m user_avc -m selinux_err -i -ts today | audit2allow 


#============= nrpe_t ==============
allow nrpe_t self:key { write setattr };



avc from nagios server permissive
---------------------------------
# ausearch -m avc -m user_avc -m selinux_err -i -ts today | audit2allow 


#============= nagios_t ==============
allow nagios_t nagios_log_t:file execute;
allow nagios_t self:capability { sys_resource sys_ptrace audit_write };
allow nagios_t self:key write;
allow nagios_t self:netlink_audit_socket { nlmsg_relay create };
allow nagios_t self:process { setsched setrlimit };
allow nagios_t sudo_exec_t:file { read getattr open execute execute_no_trans };

Comment 15 Milos Malik 2015-04-20 08:58:52 UTC

We changed the label on following files and the problem (nrpe executes a script and the script executes sudo which generates AVCs) went away:

# cd /usr/lib64/nagios/plugins
# chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh

Comment 16 Miroslav Grepl 2015-04-22 09:15:13 UTC

(In reply to Milos Malik from comment #15)
> We changed the label on following files and the problem (nrpe executes a
> script and the script executes sudo which generates AVCs) went away:
> 
> # cd /usr/lib64/nagios/plugins
> # chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh

Ok are these scripts called by nagios by default?

Comment 17 Miroslav Grepl 2015-04-22 12:51:38 UTC

Ok we have

/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins/urlize  --  gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins/utils.pm  --  gen_context(system_u:object_r:bin_t,s0)

Comment 18 Milos Malik 2015-04-22 14:58:49 UTC

additional information to comment#10:

# ls -l /var/lib/glusterd/hooks/1/set/post/
total 12
-rwxr--r--. 1 root root 4010 Mar 18 12:32 S30samba-set.sh
-rwxr--r--. 1 root root 7927 Mar 18 12:32 S31ganesha-set.sh
# rpm -qf /var/lib/glusterd/hooks/1/set/post/*
glusterfs-server-3.6.0.53-1.el6rhs.x86_64
glusterfs-server-3.6.0.53-1.el6rhs.x86_64
#

Comment 19 Miroslav Grepl 2015-05-13 14:57:56 UTC

(In reply to Milos Malik from comment #15)
> We changed the label on following files and the problem (nrpe executes a
> script and the script executes sudo which generates AVCs) went away:
> 
> # cd /usr/lib64/nagios/plugins
> # chcon -t nagios_unconfined_plugin_exec_t negate urlize utils.sh

Not sure if it is a correct solution. These scripts are not plugins.

We probably will need to add 

nagios_run_sudo

boolean.

Comment 22 Miroslav Grepl 2015-05-19 10:28:19 UTC

commit 4b8ebda67993924d12bd39131846124ac67bef61
Author: Miroslav Grepl <mgrepl>
Date:   Tue May 19 12:19:41 2015 +0200

    Update nagios_run_sudo boolean to allow run chkpwd.

Comment 23 Miroslav Grepl 2015-05-19 13:26:15 UTC

Could you please test it with

https://brewweb.devel.redhat.com/taskinfo?taskID=9198180

Comment 26 Stanislav Graf 2015-05-21 09:55:06 UTC

Retested both Bug 1198436 and Bug 1113481.

I had following configuration on Nagios server and client / monitored node:
# getenforce
Enforcing
# getsebool nagios_run_sudo
nagios_run_sudo --> on
# rpm -qa 'selinux-policy*'
selinux-policy-targeted-3.7.19-268.el6.noarch
selinux-policy-3.7.19-268.el6.noarch

All works as expected. This selinux-policy build (together with nagios_run_sudo boolean) fixes the issue for RH-Gluster + Nagios usecase.

To accomodate new Selinux boolean into our workflow, I've created Bug 1223710.

Comment 29 errata-xmlrpc 2015-07-22 07:12:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html

Note You need to log in before you can comment on or make changes to this bug.