Description of problem:
The latest selinux-policy-targeted-3.7.19-260.el6_6.5 update broke nrpe scripts which call sudo. Previously (selinux-policy-targeted-3.7.19-260.el6_6.3), nrpe_t domain could exec sudo. With new selinux-policy-targeted nrpe_t could exec sudo only when nagios_run_sudo boolean is on. Please note that this boolean didn't exist in previous policies.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install selinux-policy-targeted-3.7.19-260.el6_6.3
2. check that nrpe_t domain can exec sudo_exec_t domain without additional settings
3. update to selinux-policy-targeted-3.7.19-260.el6_6.5
4. check that you must set nagios_run_sudo boolean before nrpe_t domain can exec sudo_exec_t
you must set nagios_run_sudo boolean to "on" when your nrpe scripts exec sudo. This is change from previous selinux-policy-targeted-3.7.19-260.el6_6.3 where no additional setting was needed.
I'm not sure if setting of new boolean is expected behavior but I would expect such change, if intentional, in next minor RHEL release, not in async update.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.