Bug 1210380 - SELinux prevents check_mailq from executing postfix when run via NRPE
Summary: SELinux prevents check_mailq from executing postfix when run via NRPE
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nagios-plugins
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Sam Kottler
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-09 14:47 UTC by Nils Breunese
Modified: 2018-01-04 19:50 UTC (History)
7 users (show)

Fixed In Version: nagios-plugins-2.2.1-3git.fc24 nagios-plugins-2.2.1-4git.fc26 nagios-plugins-2.2.1-4git.el7 nagios-plugins-2.2.1-3git.fc25 nagios-plugins-2.2.1-4git.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-23 21:51:03 UTC


Attachments (Terms of Use)

Description Nils Breunese 2015-04-09 14:47:15 UTC
Description of problem:

After upgrading to EL 7.1 I got the following AVC:

----
SELinux is preventing /usr/bin/perl from getattr access on the file /usr/sbin/postfix.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that perl should be allowed getattr access on the postfix file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep check_mailq /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:nagios_mail_plugin_t:s0
Target Context                system_u:object_r:postfix_master_exec_t:s0
Target Objects                /usr/sbin/postfix [ file ]
Source                        check_mailq
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          vs-repository-01.vpro.nl
Source RPM Packages           perl-5.16.3-285.el7.x86_64
Target RPM Packages           postfix-2.10.1-6.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vs-repository-01.vpro.nl
Platform                      Linux vs-repository-01.vpro.nl
                             3.10.0-229.1.2.el7.x86_64 #1 SMP Fri Mar 27
                             03:04:26 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-04-09 16:14:36 CEST
Last Seen                     2015-04-09 16:14:36 CEST
Local ID                      e58747c1-bf32-4a38-812d-a3615a8f6f83

Raw Audit Messages
type=AVC msg=audit(1428588876.144:78): avc:  denied  { getattr } for  pid=12350 comm="check_mailq" path="/usr/sbin/postfix" dev="dm-1" ino=659626 scontext=system_u:system_r:nagios_mail_plugin_t:s0 tcontext=system_u:object_r:postfix_master_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1428588876.144:78): arch=x86_64 syscall=stat success=no exit=EACCES a0=1dcbe90 a1=1c82138 a2=1c82138 a3=48 items=0 ppid=12349 pid=12350 auid=4294967295 uid=995 gid=993 euid=995 suid=995 fsuid=995 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=check_mailq exe=/usr/bin/perl subj=system_u:system_r:nagios_mail_plugin_t:s0 key=(null)

Hash: check_mailq,nagios_mail_plugin_t,postfix_master_exec_t,file,getattr
----

Version-Release number of selected component (if applicable):

nagios-plugins-mailq-2.0.1-1.el7.x86_64

How reproducible:

Always.

Steps to Reproduce:
1. Configure Nagios to run check_mailq on a remote host via NRPE

Actual results:

No SELinux AVC logged.

Expected results:

SELinux AVC logged, see description above.

Comment 1 Nils Breunese 2017-01-04 15:35:13 UTC
I just updated to nagios-plugins-mailq-2.1.4-2.el7.x86_64, but this problem still exists.

Comment 2 Nils Breunese 2017-01-04 15:38:00 UTC
Although now the SELinux AVC Alert mentions check_mailq instead of perl:

----
SELinux is preventing check_mailq from getattr access on the file /usr/sbin/postfix.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that check_mailq should be allowed getattr access on the postfix file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'check_mailq' --raw | audit2allow -M my-checkmailq
# semodule -i my-checkmailq.pp

Additional Information:
Source Context                system_u:system_r:nagios_mail_plugin_t:s0
Target Context                system_u:object_r:postfix_master_exec_t:s0
Target Objects                /usr/sbin/postfix [ file ]
Source                        check_mailq
Source Path                   check_mailq
Port                          <Unknown>
Host                          vs-monitoring-01.vpro.nl
Source RPM Packages           
Target RPM Packages           postfix-2.10.1-6.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vs-monitoring-01.vpro.nl
Platform                      Linux vs-monitoring-01.vpro.nl
                             3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6
                             23:06:41 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2017-01-04 16:18:10 CET
Last Seen                     2017-01-04 16:18:10 CET
Local ID                      4a27230d-4889-4291-9ff7-8523505c5709

Raw Audit Messages
type=AVC msg=audit(1483543090.934:49177): avc:  denied  { getattr } for  pid=6453 comm="check_mailq" path="/usr/sbin/postfix" dev="dm-1" ino=659626 scontext=system_u:system_r:nagios_mail_plugin_t:s0 tcontext=system_u:object_r:postfix_master_exec_t:s0 tclass=file


Hash: check_mailq,nagios_mail_plugin_t,postfix_master_exec_t,file,getattr
----

Comment 3 Stephen John Smoogen 2017-02-15 02:11:07 UTC
I am the new nagios maintainer. I am going to see what I can do about getting this looked at. Due to rules with selinux polices, I may only be able to ship rules in the rpm that could be added by the sysadmin. [The reason is that selinux policy is set in RHEL and not in the package.]

Comment 4 Fedora Update System 2017-07-03 20:54:53 UTC
nagios-plugins-2.2.1-2git.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30

Comment 5 Fedora Update System 2017-07-06 02:48:30 UTC
nagios-plugins-2.2.1-2git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-62fe0218d0

Comment 6 Fedora Update System 2017-07-06 02:49:46 UTC
nagios-plugins-2.2.1-2git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cc0aeaca30

Comment 7 Fedora Update System 2017-07-12 20:30:10 UTC
nagios-plugins-2.2.1-3git.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9

Comment 8 Fedora Update System 2017-07-13 19:48:53 UTC
nagios-plugins-2.2.1-3git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-76229ef8c9

Comment 9 Fedora Update System 2017-07-13 19:50:39 UTC
nagios-plugins-2.2.1-3git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4b1c55c024

Comment 10 Fedora Update System 2017-07-13 21:21:29 UTC
nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6401b28fc4

Comment 11 Fedora Update System 2017-07-13 21:23:48 UTC
nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8d031793bf

Comment 12 Fedora Update System 2017-07-13 23:53:57 UTC
nagios-plugins-2.2.1-3git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a5f81422dc

Comment 13 Fedora Update System 2017-07-14 18:57:59 UTC
nagios-plugins-2.2.1-4git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3

Comment 14 Fedora Update System 2017-07-16 21:21:09 UTC
nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e82de3b3

Comment 15 Fedora Update System 2017-07-23 04:18:02 UTC
nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-8973027f42

Comment 16 Fedora Update System 2017-07-23 04:23:01 UTC
nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-87ebfdc686

Comment 17 Fedora Update System 2017-07-23 21:51:03 UTC
nagios-plugins-2.2.1-3git.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2017-08-03 15:52:41 UTC
nagios-plugins-2.2.1-4git.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2017-08-09 15:22:41 UTC
nagios-plugins-2.2.1-4git.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2017-08-09 19:56:58 UTC
nagios-plugins-2.2.1-3git.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2017-08-10 06:19:32 UTC
nagios-plugins-2.2.1-4git.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Chris Herdt 2018-01-03 20:38:40 UTC
This is still an issue with 2.2.1-4git.el7.

The check_mailq plugin is successful, but the AVC messages still appear in the audit logs:

type=AVC msg=audit(1515007542.005:533): avc:  denied  { getattr } for  pid=8715 comm="check_mailq" path="/usr/sbin/postfix" dev="dm-0" ino=494570 scontext=system_u:system_r:nagios_mail_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_master_exec_t:s0 tclass=file

Comment 23 Chris Herdt 2018-01-04 18:20:56 UTC
When I specify the MTA in the NRPE command definition, e.g.:

command[check_mailq]=/usr/lib64/nagios/plugins/check_mailq -w 5 -c 10 -M postfix

the AVC messages no longer appear in the audit logs.

Comment 24 Stephen John Smoogen 2018-01-04 19:50:02 UTC
What was the previous configuration.. I don't see it listed in the ticket before (probably missing the obvious).


Note You need to log in before you can comment on or make changes to this bug.