Bug 1240793 - The latest selinux-policy-targeted-3.7.19-260.el6_6.5 update broke nrpe scripts which calls sudo
Summary: The latest selinux-policy-targeted-3.7.19-260.el6_6.5 update broke nrpe scrip...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Depends On:
Blocks: Red Hat1172231
TreeView+ depends on / blocked
Reported: 2015-07-07 18:43 UTC by Adam Tkac
Modified: 2019-08-15 04:50 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.7.19-282.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-05-10 19:58:42 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1504303 0 None None None Never
Red Hat Product Errata RHBA-2016:0763 0 normal SHIPPED_LIVE selinux-policy bug fix update 2016-05-10 22:33:46 UTC

Description Adam Tkac 2015-07-07 18:43:47 UTC
Description of problem:
The latest selinux-policy-targeted-3.7.19-260.el6_6.5 update broke nrpe scripts which call sudo. Previously (selinux-policy-targeted-3.7.19-260.el6_6.3), nrpe_t domain could exec sudo. With new selinux-policy-targeted nrpe_t could exec sudo only when nagios_run_sudo boolean is on. Please note that this boolean didn't exist in previous policies.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install selinux-policy-targeted-3.7.19-260.el6_6.3
2. check that nrpe_t domain can exec sudo_exec_t domain without additional settings
3. update to selinux-policy-targeted-3.7.19-260.el6_6.5
4. check that you must set nagios_run_sudo boolean before nrpe_t domain can exec sudo_exec_t

Actual results:
you must set nagios_run_sudo boolean to "on" when your nrpe scripts exec sudo. This is change from previous selinux-policy-targeted-3.7.19-260.el6_6.3 where no additional setting was needed.

Expected results:
I'm not sure if setting of new boolean is expected behavior but I would expect such change, if intentional, in next minor RHEL release, not in async update.

Comment 10 errata-xmlrpc 2016-05-10 19:58:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.