Description of problem: ======================= On my RHEL6 and RHEL7 gluster nodes monitored by Nagios I'm seeing following AVC: ~~~ Running 'rpm -q selinux-policy-targeted; ausearch -m avc -m user_avc -m selinux_err -i | audit2allow' on 10.34.75.241 selinux-policy-targeted-3.7.19-276.el6.noarch #============= syslogd_t ============== allow syslogd_t nagios_unconfined_plugin_exec_t:file execute; Connection to 10.34.75.241 closed. ~~~ Running 'rpm -q selinux-policy-targeted; ausearch -m avc -m user_avc -m selinux_err -i | audit2allow' on 10.34.75.246 selinux-policy-targeted-3.13.1-27.el7.noarch #============= syslogd_t ============== allow syslogd_t nagios_unconfined_plugin_exec_t:file execute; Connection to 10.34.75.246 closed. ~~~ Version-Release number of selected component (if applicable): ============================================================= selinux-policy-targeted-3.7.19-276.el6.noarch selinux-policy-targeted-3.13.1-27.el7.noarch
Is there a rsyslog plugin module which executes nagios plugins?
Sahina, could you please answer the question in comment 2?
There's an omprog rsyslog plugin, which monitors the log entries and calls the nsca plugin of nagios
Stanislav, What's the question in Comment 6? Miroslav, Has there been any fix regarding this AVC in selinux-policy-targeted-3.7.19-278?
Stanislav, I've cloned this BZ against RHEL-6.7 [1] and RHEL-7.1 [2] for getting the fixes in RHEL and Milos has already provided a possible local policy module in those BZ's which fixes the reported issue. Could you please check if that helped and confirm back in the corresponding BZ's? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1233547 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1233550
Do we ship Nagios in RHEL6 and/or RHEL7 as part of RHGS? or RHEL6/7 Base?
Nagios is shipped for RHEL6 and RHEL7 in RHGS channel, the nagios package is from LPC.
So, looks like the selinux policy needs to be added to the nagios pkg that goes into RHGS RHEL6/7 channel.
This bug can be verified only after the required bug bz#1233550 is verified. Prasant: Can u check with the RHEL-7 team regarding the availability of the fix in RHEL7.1 z stream?.
(In reply to Ramesh N from comment #17) > This bug can be verified only after the required bug bz#1233550 is verified. > Prasant: Can u check with the RHEL-7 team regarding the availability of the > fix in RHEL7.1 z stream?. As per https://bugzilla.redhat.com/show_bug.cgi?id=1233550#c5, I see that the fix given by SELinux team is already confirmed as Fixed and verified. Since the BZ is currently in Modified state, you might soon get an official build having the fix. Once you get that, you can move this downstream BZ to ON_QA with that FIV for QE to verify. Once the above BZ's are tested and Verified, I'll be requesting for a RHEL-7.1.Z clone of the RHEL BZ. Hope that explains.
Fixed In Version: selinux-policy-3.7.19-279.el6 → selinux-policy-3.7.19-279.el6 / selinux-policy-3.13.1-23.el7_1.9 selinux-policy-3.13.1-23.el7_1.9 doesn't have required logging_syslogd_run_nagios_plugin boolean. --> ASSIGNED
Required Sebool is not yet available in RHEL7.1. Setting the dependency to correct RHEL7.1 bugs.
required sebool is available in RHEL7.2 build 'selinux-policy-3.13.1-31.el7'. Moving this bug to ON_QA with 7.2 build.
Fixed In Version: selinux-policy-3.7.19-279.el6 / selinux-policy-3.13.1-31.el7 Tested: selinux-policy-targeted-3.7.19-279.el6.noarch logging_syslogd_run_nagios_plugins nagios_run_sudo selinux-policy-targeted-3.13.1-31.el7.noarch logging_syslogd_run_nagios_plugins nagios_run_pnp4nagios nagios_run_sudo Above selinux-policy builds with enable boolean logging_syslogd_run_nagios_plugins fixes AVCs mentioned in Comment 0. --> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-1494.html
Hi Matthew, I have now made that public. Can you please check it out? Thanks kasturi