Bug 1359858 - NRPE causes SELinux denials
Summary: NRPE causes SELinux denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nrpe
Version: epel7
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Stephen John Smoogen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1393066
TreeView+ depends on / blocked
 
Reported: 2016-07-25 14:45 UTC by Ken Dreyer (Red Hat)
Modified: 2017-07-28 14:37 UTC (History)
19 users (show)

Fixed In Version: nrpe-3.1.1-1.fc24 nrpe-3.1.1-1.fc25 nrpe-3.1.1-1.el6 nrpe-3.1.1-1.el7 nrpe-3.1.1-1.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-04 00:19:46 UTC


Attachments (Terms of Use)
Shows all nrpe selinux denials from boot until nrpe was finally able to run (148.18 KB, text/plain)
2016-07-25 19:30 UTC, David Galloway
no flags Details
Shows incremental process of how I created the final nrpe type enforcement file (465.75 KB, text/plain)
2016-07-25 19:30 UTC, David Galloway
no flags Details
process of building newest nrpe selinux policy type enforcement file (300.64 KB, text/plain)
2017-03-23 20:52 UTC, David Galloway
no flags Details

Description Ken Dreyer (Red Hat) 2016-07-25 14:45:25 UTC
Description of problem:
The Ceph infra team uses Nagios' NRPE to monitor the hardware health of our servers in our lab. We get SELinux denials when we use NPRE, and it would be nice to avoid these without a custom SELinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch


How reproducible:
always

Steps to Reproduce:
1. Set up NRPE on a node in our lab, with SELinux in enforcing
2. Configure Nagios to use NRPE (We're using the nrpe-2.15-7.el7 package from EPEL 7).

Actual results:
AVC errors

Expected results:
Ceph's use of NRPE is allowed with the default SELinux policy.

Additional info:
Here is the custom policy we have to add on each of our nodes:

https://github.com/ceph/ceph-cm-ansible/blob/master/roles/common/files/nagios/nrpe.te

https://github.com/ceph/ceph-cm-ansible/blob/master/roles/common/tasks/nrpe-selinux.yml

It would be great to reduce our customizations there, or eliminate them altogether.

Comment 2 David Galloway 2016-07-25 19:29:13 UTC
I went through the process of how I came up with the nrpe type enforcement file again.  Hopefully it provides some insight.

I installed a machine with CentOS 7.2, enabled SELinux, set 'nagios_run_sudo' to true, and then executed the nagios check command manually from the nagios host.

Nagios server checkcommand: /usr/lib/nagios/plugins/check_nrpe2 -H mira035.front.sepia.ceph.com -c check_smart -t 120

nrpe daemon command: command[check_smart]=/usr/libexec/smart.sh

After each round of AVC denials, I'd create a new type enforcement file, install it, then re-run the nagios check command.  See 'creating_policy.txt' attachment for audit.log output and incremental type enforcement file creation.

I'm also attaching 'denials.txt' which just shows all nrpe denials from the time the system was booted until SELinux finally let nrpe do its thing.

[root@mira035 ~]# rpm -qa | grep selinux
selinux-policy-3.13.1-60.el7_2.7.noarch
selinux-policy-targeted-3.13.1-60.el7_2.7.noarch
libselinux-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64

[root@mira035 ~]# rpm -qa | grep nrpe
nrpe-2.15-7.el7.x86_64

[root@mira035 ~]# rpm -qa | grep nagios-common
nagios-common-4.0.8-2.el7.x86_64

Comment 3 David Galloway 2016-07-25 19:30:13 UTC
Created attachment 1183954 [details]
Shows all nrpe selinux denials from boot until nrpe was finally able to run

Comment 4 David Galloway 2016-07-25 19:30:55 UTC
Created attachment 1183955 [details]
Shows incremental process of how I created the final nrpe type enforcement file

Comment 5 David Galloway 2016-07-25 19:33:14 UTC
Here's the smart.sh script the nrpe user runs: https://github.com/ceph/ceph-cm-ansible/blob/master/roles/common/files/libexec/smart.sh

Comment 7 Lukas Vrabec 2017-03-21 15:55:55 UTC
This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of  the affected component. As a starting point you can use policy provided by selinux-policy package. For more details  about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline.

Comment 8 Stephen John Smoogen 2017-03-22 15:17:15 UTC
I am taking this and will be working on getting the selinux subpolicy packages put into place for the nagios and nrpe packages.

Comment 9 David Galloway 2017-03-23 20:51:39 UTC
I went through this process after some concerns were raised about some of the permissions my original type enforcement file was allowing.

I've attached output of the process I followed to get NRPE to report back the information I need.

The type enforcement file is here: https://paste.fedoraproject.org/paste/pL9s67c6ub5Z8npoGT6hx15M1UNdIGYhyRLivL9gydE=

This is on CentOS 7.3.

[root@mira040 ~]# rpm -qa | grep selinux-policy-targeted
selinux-policy-targeted-3.13.1-102.el7_3.15.noarch

[root@mira040 ~]# rpm -qa | grep nrpe
nrpe-2.15-7.el7.x86_64

Comment 10 David Galloway 2017-03-23 20:52:57 UTC
Created attachment 1265901 [details]
process of building newest nrpe selinux policy type enforcement file

Comment 11 Fedora Update System 2017-06-14 23:42:55 UTC
nrpe-3.1.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-69a58c7a69

Comment 12 Fedora Update System 2017-06-15 00:03:08 UTC
nrpe-3.1.1-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eb24165ee1

Comment 13 Fedora Update System 2017-06-15 00:37:07 UTC
nrpe-3.1.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-be117b53a8

Comment 14 Fedora Update System 2017-06-15 00:47:21 UTC
nrpe-3.1.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-92879f40b9

Comment 15 Fedora Update System 2017-06-15 01:02:37 UTC
nrpe-3.1.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f37341bbab

Comment 16 Fedora Update System 2017-06-15 09:48:23 UTC
nrpe-3.1.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-92879f40b9

Comment 17 Fedora Update System 2017-06-15 09:48:29 UTC
nrpe-3.1.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f37341bbab

Comment 18 Fedora Update System 2017-06-15 10:57:42 UTC
nrpe-3.1.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-be117b53a8

Comment 19 Fedora Update System 2017-06-15 10:59:38 UTC
nrpe-3.1.1-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-eb24165ee1

Comment 20 Fedora Update System 2017-06-15 14:01:42 UTC
nrpe-3.1.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-69a58c7a69

Comment 21 Fedora Update System 2017-07-04 00:19:46 UTC
nrpe-3.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2017-07-04 01:51:05 UTC
nrpe-3.1.1-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2017-07-04 04:17:37 UTC
nrpe-3.1.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2017-07-04 04:19:50 UTC
nrpe-3.1.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2017-07-07 22:55:35 UTC
nrpe-3.1.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 26 Mike Willis 2017-07-28 10:20:06 UTC
I'm seeing huge amounts of this:

Jul 28 11:10:02 konan setroubleshoot: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown. For complete SELinux messages. run sealert -l 9524f588-6b63-4326-bae5-3eb498ee4140
Jul 28 11:10:02 konan python: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that check_nrpe should be allowed create access on the Unknown unix_dgram_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'check_nrpe' --raw | audit2allow -M my-checknrpe#012# semodule -i my-checknrpe.pp#012

The messages started appearing after update to nrpe-3.1.1-1.el7 


I tried installing the nrpe-selinux package, but that doesn't help. The module in it won't load. The post-install script in the package dumps the errors from attempt to load the module /dev/null thus hiding that it failed, which seems unhelpful.


[root@konan:production: ~]# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

[root@konan:production: ~]# rpm -qa | grep -i nrpe
nrpe-3.1.1-1.el7.x86_64
nagios-plugins-nrpe-3.1.1-1.el7.x86_64
nrpe-selinux-3.1.1-1.el7.x86_64
[root@konan:production: ~]# rpm -q --scripts nrpe-selinux | head -5
postinstall scriptlet (using /bin/sh):
if [ "$1" -le "1" ]; then # Fist install
   semodule -i /usr/share/selinux/packages/nrpe.pp 2>/dev/null || :
   fixfiles -R nrpe restore || :
   
[root@konan:production: ~]# semodule -l | grep nrpe
[root@konan:production: ~]# semodule -i /usr/share/selinux/packages/nrpe/nrpe.pp 
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/bin/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/nagios/nrpe\.cfg.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/rc\.d/init\.d/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/lib/nagios/plugins/check_nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
semodule:  Failed!
[root@konan:production: ~]#

Comment 27 Stephen John Smoogen 2017-07-28 14:37:20 UTC
I have opened 1476298 to track this


Note You need to log in before you can comment on or make changes to this bug.