Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1504826 - SELinux is preventing nrpe_t from accessing nfs_t
SELinux is preventing nrpe_t from accessing nfs_t
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-20 13:54 EDT by Coby Isley
Modified: 2018-04-10 08:45 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-175.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 08:44:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 None None None 2018-04-10 08:45 EDT

  None (edit)
Description Coby Isley 2017-10-20 13:54:45 EDT 
Description of problem:

=================

Commands running with a context of nrpe_t are unable to access nfs shares:

SELinux is preventing df from read access on the directory <customer directory>.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that df should be allowed read access on the <customer directory> directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'df' --raw | audit2allow -M my-df
# semodule -i my-df.pp


Additional Information:
Source Context                system_u:system_r:nrpe_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                <customer directory> [ dir ]
Source                        df
Source Path                   df
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-166.el7_4.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     r74.example.com
Platform                      Linux r74.example.com 3.10.0-693.el7.x86_64 #1 SMP
                              Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-10-09 10:34:54 EDT
Last Seen                     2017-10-09 10:34:54 EDT
Local ID                      408d59ba-9a37-4d56-90bd-3374e76fb12e

Raw Audit Messages
type=AVC msg=audit(1507559694.203:28842): avc:  denied  { read } for  pid=16514 comm=df name=<customer directory> dev=0:53 ino=10133099161602582 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir


Hash: df,nrpe_t,nfs_t,dir,read

--------------------------------------------------------------------------------

SELinux is preventing bash from getattr access on the directory <customer directory>.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed getattr access on the <customer directory> directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'bash' --raw | audit2allow -M my-bash
# semodule -i my-bash.pp


Additional Information:
Source Context                system_u:system_r:nrpe_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                <customer directory> [ dir ]
Source                        bash
Source Path                   bash
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-166.el7_4.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     r74.example.com
Platform                      Linux r74.example.com 3.10.0-693.el7.x86_64 #1 SMP
                              Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-10-09 10:44:54 EDT
Last Seen                     2017-10-09 10:44:54 EDT
Local ID                      75358116-3732-4c64-8a9f-1fb514ffda96

Raw Audit Messages
type=AVC msg=audit(1507560294.515:28866): avc:  denied  { getattr } for  pid=18076 comm=bash path=<customer directory> dev=0:53 ino=83879543059790439 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir


Hash: bash,nrpe_t,nfs_t,dir,getattr

=================

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-166.el7_4.4.noarch
Comment 3 Lukas Vrabec 2017-10-22 09:58:57 EDT 
Looks like we need new boolean here, where nrpe domain could access nfs.
Comment 10 errata-xmlrpc 2018-04-10 08:44:59 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.