1760883 – SELinux prevents various nagios plugins from reading /sys/devices/system/cpu directory

Bug 1760883 - SELinux prevents various nagios plugins from reading /sys/devices/system/cpu directory

Summary: SELinux prevents various nagios plugins from reading /sys/devices/system/cpu ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	30
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Richard Fiľo
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-11 15:26 UTC by Milos Malik
Modified:	2019-11-17 01:13 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.3-52.fc30
Clone Of:
Environment:
Last Closed:	2019-11-17 01:13:04 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2019-10-11 15:26:11 UTC

Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.3-46.fc30.noarch
nagios-4.4.3-4.fc30.ppc64le
nagios-common-4.4.3-4.fc30.ppc64le
nagios-plugins-2.2.1-15.20180725git3429dad.fc30.ppc64le

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 30 machine (targeted policy is active)
2. run following automated TC:
 * /CoreOS/selinux-policy/Regression/bz1260306-nagios-cgi-scripts
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(09/26/2019 13:52:35.627:155) : proctitle=/usr/lib64/nagios/cgi-bin/histogram.cgi 
type=PATH msg=audit(09/26/2019 13:52:35.627:155) : item=0 name=/sys/devices/system/cpu inode=600 dev=00:13 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/26/2019 13:52:35.627:155) : cwd=/usr/lib64/nagios/cgi-bin 
type=SYSCALL msg=audit(09/26/2019 13:52:35.627:155) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fff9a31b348 a2=O_RDONLY|O_NONBLOCK|O_DIRECT|O_CLOEXEC a3=0x0 items=1 ppid=11048 pid=13980 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=histogram.cgi exe=/usr/lib64/nagios/cgi-bin/histogram.cgi subj=system_u:system_r:nagios_script_t:s0 key=(null) 
type=AVC msg=audit(09/26/2019 13:52:35.627:155) : avc:  denied  { read } for  pid=13980 comm=histogram.cgi name=cpu dev="sysfs" ino=600 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/26/2019 13:52:35.957:156) : proctitle=/usr/lib64/nagios/cgi-bin/statusmap.cgi 
type=PATH msg=audit(09/26/2019 13:52:35.957:156) : item=0 name=/sys/devices/system/cpu inode=600 dev=00:13 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/26/2019 13:52:35.957:156) : cwd=/usr/lib64/nagios/cgi-bin 
type=SYSCALL msg=audit(09/26/2019 13:52:35.957:156) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fff80abb348 a2=O_RDONLY|O_NONBLOCK|O_DIRECT|O_CLOEXEC a3=0x0 items=1 ppid=11048 pid=14148 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=statusmap.cgi exe=/usr/lib64/nagios/cgi-bin/statusmap.cgi subj=system_u:system_r:nagios_script_t:s0 key=(null) 
type=AVC msg=audit(09/26/2019 13:52:35.957:156) : avc:  denied  { read } for  pid=14148 comm=statusmap.cgi name=cpu dev="sysfs" ino=600 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/26/2019 13:52:36.177:157) : proctitle=/usr/lib64/nagios/cgi-bin/trends.cgi 
type=PATH msg=audit(09/26/2019 13:52:36.177:157) : item=0 name=/sys/devices/system/cpu inode=600 dev=00:13 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/26/2019 13:52:36.177:157) : cwd=/usr/lib64/nagios/cgi-bin 
type=SYSCALL msg=audit(09/26/2019 13:52:36.177:157) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fff9100b348 a2=O_RDONLY|O_NONBLOCK|O_DIRECT|O_CLOEXEC a3=0x0 items=1 ppid=11048 pid=14253 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=trends.cgi exe=/usr/lib64/nagios/cgi-bin/trends.cgi subj=system_u:system_r:nagios_script_t:s0 key=(null) 
type=AVC msg=audit(09/26/2019 13:52:36.177:157) : avc:  denied  { read } for  pid=14253 comm=trends.cgi name=cpu dev="sysfs" ino=600 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
----

Expected results:
 * no SELinux denials

Additional info:

Comment 2 Richard Fiľo 2019-10-17 15:36:29 UTC

It will be fixed in SELinux policy package.

PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/153

Comment 3 Lukas Vrabec 2019-10-22 10:38:45 UTC

commit 5e0b083d9f52817b6e5d940bb27315c1b816b620 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Richard Filo <rfilo>
Date:   Thu Oct 17 16:05:41 2019 +0200

    Allow nagios_script_t domain list files labled sysfs_t.
    
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1760883

Comment 4 Fedora Update System 2019-10-23 07:00:23 UTC

FEDORA-2019-d68c9e27f8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8

Comment 5 Fedora Update System 2019-10-25 19:33:59 UTC

selinux-policy-3.14.3-50.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8

Comment 6 Fedora Update System 2019-10-26 17:02:47 UTC

FEDORA-2019-f83217e2bf has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf

Comment 7 Fedora Update System 2019-10-27 03:54:44 UTC

selinux-policy-3.14.3-51.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf

Comment 8 Fedora Update System 2019-11-03 14:10:46 UTC

FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc

Comment 9 Fedora Update System 2019-11-04 02:10:11 UTC

selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc

Comment 10 Fedora Update System 2019-11-17 01:13:04 UTC

selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.