Hide Forgot
Description of problem: The latest selinux-policy-targeted-3.7.19-260.el6_6.5 update broke nrpe scripts which call sudo. Previously (selinux-policy-targeted-3.7.19-260.el6_6.3), nrpe_t domain could exec sudo. With new selinux-policy-targeted nrpe_t could exec sudo only when nagios_run_sudo boolean is on. Please note that this boolean didn't exist in previous policies. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-260.el6_6.5 How reproducible: always Steps to Reproduce: 1. install selinux-policy-targeted-3.7.19-260.el6_6.3 2. check that nrpe_t domain can exec sudo_exec_t domain without additional settings 3. update to selinux-policy-targeted-3.7.19-260.el6_6.5 4. check that you must set nagios_run_sudo boolean before nrpe_t domain can exec sudo_exec_t Actual results: you must set nagios_run_sudo boolean to "on" when your nrpe scripts exec sudo. This is change from previous selinux-policy-targeted-3.7.19-260.el6_6.3 where no additional setting was needed. Expected results: I'm not sure if setting of new boolean is expected behavior but I would expect such change, if intentional, in next minor RHEL release, not in async update.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0763.html