Bug 1277718 - SELinux is preventing nrpe plugins from executing
SELinux is preventing nrpe plugins from executing
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.1
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks: 1377248
  Show dependency treegraph
 
Reported: 2015-11-03 17:10 EST by James
Modified: 2017-08-01 11:10 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-152.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 11:10:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James 2015-11-03 17:10:45 EST
Description of problem:

NRPE checks may fail on RHEL/CentOS 7 with selinux-policy <= selinux-policy-3.13.1-23.el7_1.18.noarch

The nagios-plugins-all & nagios-plugins-nrpe packages in EPEL 7 ship with binaries in a new location:  /usr/lib64/nagios/plugins  (as opposed to: /usr/lib/nagios/plugins/)

The selinux-policy package ships with file_contexts for the /usr/lib/nagios/plugins/* location:



Version-Release number of selected component (if applicable):

    selinux-policy-3.13.1-23.el7_1.18.noarch
    nagios-common-3.5.1-1.el7.x86_64
    nagios-plugins-all-2.0.3-3.el7.x86_64
    nagios-plugins-nrpe-2.15-7.el7.x86_64

How reproducible:

    Always (on x86_64)


Steps to Reproduce:

1. Run check_nrpe from monitor server to run a remote check via NRPE
2. Remote host running NRPE logs audit.log errors
3. Check fails with "Permission denied" error

Actual results:

check_nrpe returns Permission denied error:

    COMMAND: /usr/local/nagios/libexec/check_nrpe -H 10.248.2.222 -u -t 240 -c check_all_disks 
    OUTPUT: DISK CRITICAL - /sys/kernel/config is not accessible: Permission denied

Remote server running NRPE logs errors in /var/log/audit/audit.log:

    type=SERVICE_START msg=audit(1446581322.775:14186): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="nrpe@48-10.248.2.222:5666-10.2.0.93:42124" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    type=AVC msg=audit(1446581322.886:14187): avc:  denied  { getattr } for  pid=6469 comm="check_disk" path="/sys/kernel/config" dev="configfs" ino=8575 scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
    type=SYSCALL msg=audit(1446581322.886:14187): arch=c000003e syscall=4 success=no exit=-13 a0=7fe20dd250a0 a1=7fe20dd22090 a2=7fe20dd22090 a3=0 items=0 ppid=6468 pid=6469 auid=4294967295 uid=10105 gid=10105 euid=10105 suid=10105 fsuid=10105 egid=10105 sgid=10105 fsgid=10105 tty=(none) ses=4294967295 comm="check_disk" exe="/usr/lib64/nagios/plugins/check_disk" subj=system_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null)
    type=SERVICE_STOP msg=audit(1446581322.938:14188): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="nrpe@48-10.248.2.222:5666-10.2.0.93:42124" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'



Expected results:

NRPE check should work and have the access it needs to perform the check.  selinux-policy package should ship with correct file contexts for the alternate paths for NRPE plugins packaged in the EPEL package. The path for x86_64 nagios NRPE plugin checks: /usr/lib64/nagios/plugins, should be recognized by the selinux-policy and granted appropriate permissions.


Additional info:

System:

    $ cat /etc/redhat-release
    CentOS Linux release 7.1.1503 (Core)
    $ uname -r
    3.10.0-229.14.1.el7.x86_64

Package Versions:

    $ repoquery --qf "%-20{repoid} %{name}-%{version}-%{release}.%{arch}"  selinux-policy
    updates              selinux-policy-3.13.1-23.el7_1.18.noarch

    $ repoquery --qf "%-20{repoid} %{name}-%{version}-%{release}.%{arch}"  nagios-plugins-all nagios-plugins-nrpe nagios-common nrpe
    epel                 nagios-common-3.5.1-1.el7.x86_64
    epel                 nagios-plugins-all-2.0.3-3.el7.x86_64
    epel                 nagios-plugins-nrpe-2.15-7.el7.x86_64
    epel                 nrpe-2.15-7.el7.x86_64
Comment 1 James 2015-11-03 17:18:56 EST
selinux-policy package ships with file_contexts for the /usr/lib/nagios/plugins/* location:

    $ sudo grep -rin '/usr/lib/nagios/plugins/' /etc/selinux
    Binary file /etc/selinux/targeted/contexts/files/file_contexts.bin matches
    /etc/selinux/targeted/contexts/files/file_contexts:2413:/usr/lib/nagios/plugins/.*      --      system_u:object_r:nagios_unconfined_plugin_exec_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts:2678:/usr/lib/nagios/plugins/utils.sh        --      system_u:object_r:bin_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts:2679:/usr/lib/nagios/plugins/utils.pm        --      system_u:object_r:bin_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts:2820:/usr/lib/nagios/plugins/check_ntp.*     --      system_u:object_r:nagios_services_plugin_exec_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts:2846:/usr/lib/nagios/plugins/check_snmp.*    --      system_u:object_r:nagios_services_plugin_exec_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts:2891:/usr/lib/nagios/plugins/eventhandlers(/.*)      system_u:object_r:nagios_eventhandler_plugin_exec_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts:5388:/usr/lib/nagios/plugins/negate  --      system_u:object_r:bin_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts:5389:/usr/lib/nagios/plugins/urlize  --      system_u:object_r:bin_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts:5503:/usr/lib/nagios/plugins/check_nt        --      system_u:object_r:nagios_services_plugin_exec_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts:5543:/usr/lib/nagios/plugins/check_log       --      system_u:object_r:nagios_system_plugin_exec_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts:5544:/usr/lib/nagios/plugins/check_dig       --      system_u:object_r:nagios_services_plugin_exec_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts:5545:/usr/lib/nagios/plugins/check_dns       --      system_u:object_r:nagios_services_plugin_exec_t:s0

The NRPE plugins x86_64 packages ship check plugin executables in: /usr/lib64/nagios/plugins

(
    $ ls -ld /usr/lib64/nagios/plugins
    drwxrwxr-x. 2 root root 4096 Nov  2 22:56 /usr/lib64/nagios/plugins
    $ ls -ld /usr/lib/nagios/plugins
    ls: cannot access /usr/lib/nagios/plugins: No such file or directory
    $ rpm -ql nagios-plugins-nrpe | grep check
/usr/lib64/nagios/plugins/check_nrpe
    
    $ rpm -ql nagios-plugins-disk
    /usr/lib64/nagios/plugins/check_disk
    $ rpm -ql nagios-plugins-mailq
    /usr/lib64/nagios/plugins/check_mailq
    $ rpm -ql nagios-plugins-ssh
    /usr/lib64/nagios/plugins/check_ssh
    # All the rest of the plugins only exist in /usr/lib64:
    $ rpm -qR nagios-plugins-nrpe | xargs rpm -ql | grep '\/usr\/lib'
    /usr/lib64/nagios/plugins/negate
    /usr/lib64/nagios/plugins/urlize
    /usr/lib64/nagios/plugins/utils.sh
    $ rpm -qR nagios-plugins-all | xargs rpm -ql  | grep -c '\/usr\/lib\/'
    0
    $ rpm -qR nagios-plugins-all | xargs rpm -ql  | grep -c '\/usr\/lib64\/'
    62
Comment 3 James 2015-11-03 18:16:38 EST
Just realized that the selinux-policy-targeted package owns the file: "/etc/selinux/targeted/modules/active/file_contexts"

Package version of selinux-policy-targeted:

    $ rpm -qf /etc/selinux/targeted/modules/active/file_contexts
    selinux-policy-targeted-3.13.1-23.el7_1.18.noarch

    $ repoquery --qf "%-20{repoid} %{name}-%{version}-%{release}.%{arch}"  selinux-policy-targeted
    updates              selinux-policy-targeted-3.13.1-23.el7_1.18.noarch
Comment 4 Milos Malik 2015-11-04 04:37:56 EST
It's too late for RHEL-7.2.
Comment 11 errata-xmlrpc 2017-08-01 11:10:10 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.