Bug 1248072 - AVC denied for "dir search" by nslookup(1) when called by nagios_services_plugin_t
AVC denied for "dir search" by nslookup(1) when called by nagios_services_plu...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.7
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-29 10:25 EDT by Robert Scheck
Modified: 2015-07-30 17:38 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-30 17:37:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2015-07-29 10:25:08 EDT
Description of problem:
type=AVC msg=audit(1438178677.142:2998359): avc:  denied  { search } for  pid=2070 comm="nslookup" scontext=unconfined_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
type=SYSCALL msg=audit(1438178677.142:2998359): arch=x86_64 syscall=open success=no exit=EACCES a0=7f9185593d20 a1=80000 a2=72f a3=2b750 items=0 ppid=2069 pid=2070 auid=0 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=7830 comm=nslookup exe=/usr/bin/nslookup subj=unconfined_u:system_r:nagios_services_plugin_t:s0 key=(null)

$ strings /usr/lib64/nagios/plugins/check_dns | grep /usr/bin/nslookup
/usr/bin/nslookup -sil
$ 

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-279.el6.noarch
nagios-plugins-dns-1.4.16-10.el6.x86_64

How reproducible:
Use check_dns nagios plugin with RHEL 6.7.

Actual results:
AVC denied.

Expected results:
No AVC denied message (no idea if this should be allowed or not).

Additional info:
It feels like a file descriptor leak, but I am not absolutely sure. As of
writing it seems to work with the denied while having it enforced.
Comment 1 Robert Scheck 2015-07-29 10:26:48 EDT
Cross-filed case 01484376 on the Red Hat customer portal.
Comment 3 Milos Malik 2015-07-29 10:36:08 EDT
# rpm -qa selinux\*
selinux-policy-doc-3.7.19-279.el6.noarch
selinux-policy-minimum-3.7.19-279.el6.noarch
selinux-policy-mls-3.7.19-279.el6.noarch
selinux-policy-targeted-3.7.19-279.el6.noarch
selinux-policy-3.7.19-279.el6.noarch
# sesearch -s nagios_services_plugin_t -t sysctl_vm_t -c dir -p search -A -C
Found 1 semantic av rules:
   allow domain sysctl_vm_t : dir { getattr search open } ; 

# 

Did the AVC appear after upgrade of selinux-policy* packages?
Comment 4 Robert Scheck 2015-07-29 10:43:21 EDT
(In reply to Milos Malik from comment #3)
> Did the AVC appear after upgrade of selinux-policy* packages?

Good point. During as it seems only. No occurence before and none after so
far.
Comment 5 Simon Sekidde 2015-07-29 11:29:01 EDT
Robert, 

Most likely during the update of policy either from -231 or -260

$ rpm -q selinux-policy; sesearch -s nagios_services_plugin_t -t sysctl_vm_t -c dir -p search -A -C
selinux-policy-3.7.19-231.el6.noarch
<blank>

$ rpm -q selinux-policy; sesearch -s nagios_services_plugin_t -t sysctl_vm_t -c dir -p search -A -C
selinux-policy-3.7.19-260.el6_6.5.noarch
<blank>
Comment 6 Simon Sekidde 2015-07-29 11:31:05 EDT
Should now be fixed in the latest build as Milos pointed out 

#============= nagios_services_plugin_t ==============

#!!!! This avc is allowed in the current policy
allow nagios_services_plugin_t sysctl_vm_t:dir search;
Comment 7 Robert Scheck 2015-07-29 17:36:01 EDT
Yes, I updated from -260. So sorry for the noise, let's close this.

Note You need to log in before you can comment on or make changes to this bug.