Bug 1653309 - Nagios nrpe checks using sudo stopped working after update to RHEL 7.6
Summary: Nagios nrpe checks using sudo stopped working after update to RHEL 7.6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1651248 (view as bug list)
Depends On:
Blocks: 1692893
TreeView+ depends on / blocked
 
Reported: 2018-11-26 14:09 UTC by Zdenek Pytela
Modified: 2019-08-06 12:53 UTC (History)
22 users (show)

Fixed In Version: selinux-policy-3.13.1-246.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1692893 (view as bug list)
Environment:
Last Closed: 2019-08-06 12:52:54 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2127 None None None 2019-08-06 12:53:18 UTC
Red Hat Knowledge Base (Solution) 3716371 None None None 2018-11-26 14:09:05 UTC

Description Zdenek Pytela 2018-11-26 14:09:06 UTC
Description of problem:
After update from RHEL 7.5 to 7.6, nagios and nrpe plugins using sudo stopped working. The nagios_run_sudo boolean is on.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-229.el7_6.5.noarch
sudo-1.8.23-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Configure nagios/nrpe with a plugin requiring sudo, like check_rsyslog
2. 
3.

Actual results:
plugin does not work, reporting AVC denials

Expected results:
plugin works and reports no AVC denials

Additional info:
Nagios and nrpe are from EPEL.
However, the current state seems to be a result of sudo rebase in RHEL 7.6:

sudo skips PAM account module in case NOPASSWD is used in sudoers
https://bugzilla.redhat.com/show_bug.cgi?id=1533964

Comment 7 vladimir-csp 2018-12-07 07:10:34 UTC
Seems to be a duplicate of Bug 1651248. Workaround is included there.

Comment 8 Lukas Vrabec 2018-12-16 21:09:49 UTC
*** Bug 1651248 has been marked as a duplicate of this bug. ***

Comment 30 Milos Malik 2019-04-30 10:05:34 UTC
Following SELinux denial appeared multiple times in the TC results attached by AutoMilos:
----
type=PROCTITLE msg=audit(04/30/2019 05:48:47.069:437) : proctitle=/usr/sbin/nagios -d /etc/nagios/nagios.cfg 
type=PATH msg=audit(04/30/2019 05:48:47.069:437) : item=0 name=(null) inode=396285 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nagios_log_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=SYSCALL msg=audit(04/30/2019 05:48:47.069:437) : arch=x86_64 syscall=fchown success=no exit=EPERM(Operation not permitted) a0=0x5 a1=0x3e5 a2=0x3e2 a3=0x24 items=1 ppid=1 pid=3753 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nagios exe=/usr/sbin/nagios subj=system_u:system_r:nagios_t:s0 key=(null) 
type=AVC msg=audit(04/30/2019 05:48:47.069:437) : avc:  denied  { chown } for  pid=3753 comm=nagios capability=chown  scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:system_r:nagios_t:s0 tclass=capability permissive=0 
----

The same SELinux denial appeared during manual testing.

# find /var/ -inum 396285
/var/log/nagios/nagios.log
# ls -il /var/log/nagios/nagios.log 
396285 -rw-r--r--. 1 nagios nagios 5851 Apr 30 05:51 /var/log/nagios/nagios.log
# ls -Z /var/log/nagios/nagios.log 
-rw-r--r--. nagios nagios system_u:object_r:nagios_log_t:s0 /var/log/nagios/nagios.log
#

# rpm -qa selinux\* nagios\* | sort
nagios-4.4.3-1.el7.x86_64
nagios-common-4.4.3-1.el7.x86_64
nagios-plugins-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-disk-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-dummy-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-icmp-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-load-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-nagios-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-nrpe-3.2.1-8.el7.x86_64
nagios-plugins-ping-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-procs-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-ssh-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-users-2.2.1-16.20180725git3429dad.el7.x86_64
selinux-policy-3.13.1-244.el7.noarch
selinux-policy-devel-3.13.1-244.el7.noarch
selinux-policy-targeted-3.13.1-244.el7.noarch
#

Comment 33 Milos Malik 2019-05-07 12:12:48 UTC
Following rules are missing:

allow nrpe_t systemd_logind_t : process { getattr };
allow nrpe_t sssd_t : process { signull };
allow nrpe_t system_dbusd_t : dbus { send_msg };
allow nrpe_t system_dbusd_t : unix_stream_socket { connectto };
allow nrpe_t unconfined_service_t : dbus { send_msg };
allow unconfined_service_t nrpe_t : dbus { send_msg };
allow systemd_hostnamed_t sosreport_t : dbus { send_msg };

SELinux denials stored in customer cases imply that these rules should be present in policy (either in allow form or dontaudit form).

Comment 50 errata-xmlrpc 2019-08-06 12:52:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2127


Note You need to log in before you can comment on or make changes to this bug.