Bug 1476298 - NRPE selinux module broken
NRPE selinux module broken
Status: ON_QA
Product: Fedora EPEL
Classification: Fedora
Component: nrpe (Show other bugs)
epel7
All All
unspecified Severity medium
: ---
: ---
Assigned To: Stephen John Smoogen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-28 10:36 EDT by Stephen John Smoogen
Modified: 2017-08-08 10:38 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stephen John Smoogen 2017-07-28 10:36:53 EDT
Description of problem:

The nrpe selinux module in the latest nrpe src rpm does not load correctly.


Additional info:

from closed BZ 1359858
 Mike Willis 2017-07-28 06:20:06 EDT 

I'm seeing huge amounts of this:

Jul 28 11:10:02 konan setroubleshoot: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown. For complete SELinux messages. run sealert -l 9524f588-6b63-4326-bae5-3eb498ee4140
Jul 28 11:10:02 konan python: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that check_nrpe should be allowed create access on the Unknown unix_dgram_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'check_nrpe' --raw | audit2allow -M my-checknrpe#012# semodule -i my-checknrpe.pp#012

The messages started appearing after update to nrpe-3.1.1-1.el7 


I tried installing the nrpe-selinux package, but that doesn't help. The module in it won't load. The post-install script in the package dumps the errors from attempt to load the module /dev/null thus hiding that it failed, which seems unhelpful.


[root@konan:production: ~]# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

[root@konan:production: ~]# rpm -qa | grep -i nrpe
nrpe-3.1.1-1.el7.x86_64
nagios-plugins-nrpe-3.1.1-1.el7.x86_64
nrpe-selinux-3.1.1-1.el7.x86_64
[root@konan:production: ~]# rpm -q --scripts nrpe-selinux | head -5
postinstall scriptlet (using /bin/sh):
if [ "$1" -le "1" ]; then # Fist install
   semodule -i /usr/share/selinux/packages/nrpe.pp 2>/dev/null || :
   fixfiles -R nrpe restore || :
   
[root@konan:production: ~]# semodule -l | grep nrpe
[root@konan:production: ~]# semodule -i /usr/share/selinux/packages/nrpe/nrpe.pp 
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/bin/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/nagios/nrpe\.cfg.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/rc\.d/init\.d/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/lib/nagios/plugins/check_nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
semodule:  Failed!
[root@konan:production: ~]#
Comment 1 Stephen John Smoogen 2017-07-28 10:38:32 EDT
Bug should be fixed in epel-testing for RHEL7. It may not be fixed in RHEL6 which I am working on to confirm.
Comment 2 Mike Willis 2017-07-31 06:11:34 EDT
I've tried packages from epel-testing and the module still won't load.

[root@konan:production: ~]# rpm -qa | grep nrpe
nagios-plugins-nrpe-3.1.1-6.el7.x86_64
nrpe-selinux-3.1.1-6.el7.x86_64
nrpe-3.1.1-6.el7.x86_64
[root@konan:production: ~]# lsmod | grep nrpe
[root@konan:production: ~]# semodule -i /usr/share/selinux/packages/nrpe/nrpe.pp 
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/bin/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/nagios/nrpe\.cfg.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/rc\.d/init\.d/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/lib/nagios/plugins/check_nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
semodule:  Failed!
[root@konan:production: ~]# 


I've tried the packages on a CentOS install that doesn't have any of our site specific config and the module doesn't load on that either, same error messages.
Comment 3 Fedora Update System 2017-08-04 16:18:13 EDT
nrpe-3.2.0-6.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-030b96c51c
Comment 4 Fedora Update System 2017-08-06 22:48:53 EDT
nrpe-3.2.0-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-bb989d629b
Comment 5 Fedora Update System 2017-08-07 03:49:10 EDT
nrpe-3.2.0-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-030b96c51c
Comment 6 Mike Willis 2017-08-08 06:40:21 EDT

[root@konan:production: ~]# rpm -qa | grep nrpe
nrpe-selinux-3.2.0-6.el7.x86_64
nrpe-3.2.0-6.el7.x86_64
nagios-plugins-nrpe-3.2.0-6.el7.x86_64
[root@konan:production: ~]# semodule -l | grep nrpe
nrpe_epel	1.0
[root@konan:production: ~]#

Sadly this hasn't made any difference, the SELinux messages continue as before:

Aug  8 11:38:54 konan setroubleshoot: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown. For complete SELinux messages. run sealert -l 8cd70288-d065-4f54-aa37-c9dd8457b0f8
Aug  8 11:38:54 konan python: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that check_nrpe should be allowed create access on the Unknown unix_dgram_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'check_nrpe' --raw | audit2allow -M my-checknrpe#012# semodule -i my-checknrpe.pp#012



I had to load the nrpe_epel module manually. It didn't get loaded as a result of installing the rpm because the postinstall scriptlet is written to only install the module on "Fi(r)st install" and I already had nrpe-selinux installed. The module needs to get installed on upgrade as well.


I don't think the way the postinstall scriplet is constructed makes sense

if [ "$1" -le "1" ]; then # Fist install
   semodule -i /usr/share/selinux/packages/nrpe.pp 2>/dev/null || :
   fixfiles -R nrpe restore || :

systemctl daemon-reload >/dev/null 2>&1 || :
if [ $1 -ge 1 ] ; then
        # Package upgrade, not uninstall
        systemctl try-restart nrpe.service >/dev/null 2>&1 || :
fi

fi


The check for whether $1 is greater than 1 is inside the the condition for if $1 is less than 1. How's "systemctl try-restart" ever going to get called?
The preuninstall scriptlet is constructed the same way.
Comment 7 Mike Willis 2017-08-08 10:09:33 EDT
I think I've found the solution to the SELinux messages.

I realised there's now a nagios-selinux package, as talked about in 

https://bugzilla.redhat.com/show_bug.cgi?id=1475447

The newest version of that I could find for CentOS 7 is nagios-selinux-4.3.2-8.el7.x86_64.rpm 

I didn't want to mess with the nagios package that's installed, nagios-4.3.2-5.el7.x86_64, so I force installed nagios-selinux-4.3.2-8.el7.x86_64.rpm then manually installed the nagios_epel module. (The path in the postinstall scriplet is wrong, which I see is already fixed in later version of the package for EPEL6 but I guess not for 7). All the SELinux messages stopped. I removed the nagios_epel module and the messages started. Loaded the module again, the messages stopped again.
Comment 8 Stephen John Smoogen 2017-08-08 10:38:06 EDT
OK the second part is because the main nagios/nrpe is in one policy in the original selinux policy, but these are now different policies shipped with different RPMS. 

The first part is completely me not doing my job as maintainer it would seem. Thank you for catching that. I will fix both selinux rpms as they have the same code in them.

Note You need to log in before you can comment on or make changes to this bug.