Bug 1792244 - check_disk_smb blocked by selinux
Summary: check_disk_smb blocked by selinux
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nagios-plugins
Version: epel8
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Guido Aulisi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-17 11:21 UTC by Stefano Biagiotti
Modified: 2021-02-20 00:05 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Stefano Biagiotti 2020-01-17 11:21:37 UTC 
Description of problem:
I configured a service in nagios to use check_disk_smb and it always fails because of selinux.
define service {
    host_name            CIFSserver
    service_description  samba
    check_command        check_disk_smb!xxx
    ...
}
define command {
   command_name  check_disk_smb
   command_line  $USER1$/check_disk_smb -H $HOSTADDRESS$ -s $ARG1$ -u ID -p PW
}


Version-Release number of selected component (if applicable):
nagios-plugins-disk_smb-2.2.2-2.20190926git1b8ad57.el8.x86_64


Actual results:
type=PROCTITLE msg=audit(1579258574.965:24103): proctitle=6D7973716C61646D696E002D2D686F73743D3139322E3136382E332E313430002D2D757365723D726F6F74002D2D70617373776F72643D65757231736B3000737461747573
type=AVC msg=audit(1579258593.970:24104): avc:  denied  { getattr } for  pid=28408 comm="smbclient" path="/etc/samba/smb.conf" dev="dm-0" ino=502508 scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:samba
_etc_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1579258593.970:24104): arch=c000003e syscall=4 success=no exit=-13 a0=55b272588a20 a1=7ffd63b4d510 a2=7ffd63b4d510 a3=55b272552010 items=0 ppid=28407 pid=28408 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsui
d=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="smbclient" exe="/usr/bin/smbclient" subj=system_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=stat AUID="unset" UID="nagios" GID="nagios" EUID="n
agios" SUID="nagios" FSUID="nagios" EGID="nagios" SGID="nagios" FSGID="nagios"
type=PROCTITLE msg=audit(1579258593.970:24104): proctitle=2F7573722F62696E2F736D62636C69656E74002F2F38302E39332E3132382E342F44617469566F6C61002D5500766F6C612577656C636F6D65766F6C61002D6D00002D63006475
type=AVC msg=audit(1579258593.970:24105): avc:  denied  { read } for  pid=28408 comm="smbclient" name="smb.conf" dev="dm-0" ino=502508 scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tcla
ss=file permissive=0
type=SYSCALL msg=audit(1579258593.970:24105): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55b272588a20 a2=0 a3=0 items=0 ppid=28407 pid=28408 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 
fsgid=991 tty=(none) ses=4294967295 comm="smbclient" exe="/usr/bin/smbclient" subj=system_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="nagios" GID="nagios" EUID="nagios" SUID="nagios" F
SUID="nagios" EGID="nagios" SGID="nagios" FSGID="nagios"
type=PROCTITLE msg=audit(1579258593.970:24105): proctitle=2F7573722F62696E2F736D62636C69656E74002F2F38302E39332E3132382E342F44617469566F6C61002D5500766F6C612577656C636F6D65766F6C61002D6D00002D63006475
type=AVC msg=audit(1579258593.970:24106): avc:  denied  { getattr } for  pid=28408 comm="smbclient" path="/etc/samba/smb.conf" dev="dm-0" ino=502508 scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:samba
_etc_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1579258593.970:24106): arch=c000003e syscall=4 success=no exit=-13 a0=55b272588b30 a1=7ffd63b4d520 a2=7ffd63b4d520 a3=1 items=0 ppid=28407 pid=28408 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=
991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="smbclient" exe="/usr/bin/smbclient" subj=system_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=stat AUID="unset" UID="nagios" GID="nagios" EUID="nagios" SUID
="nagios" FSUID="nagios" EGID="nagios" SGID="nagios" FSGID="nagios"
type=PROCTITLE msg=audit(1579258593.970:24106): proctitle=2F7573722F62696E2F736D62636C69656E74002F2F38302E39332E3132382E342F44617469566F6C61002D5500766F6C612577656C636F6D65766F6C61002D6D00002D63006475
type=AVC msg=audit(1579258593.970:24107): avc:  denied  { read } for  pid=28408 comm="smbclient" name="smb.conf" dev="dm-0" ino=502508 scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tcla
ss=file permissive=0
type=SYSCALL msg=audit(1579258593.970:24107): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55b272588b30 a2=0 a3=0 items=0 ppid=28407 pid=28408 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 
fsgid=991 tty=(none) ses=4294967295 comm="smbclient" exe="/usr/bin/smbclient" subj=system_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="nagios" GID="nagios" EUID="nagios" SUID="nagios" F
SUID="nagios" EGID="nagios" SGID="nagios" FSGID="nagios"
type=PROCTITLE msg=audit(1579258593.970:24107): proctitle=2F7573722F62696E2F736D62636C69656E74002F2F38302E39332E3132382E342F44617469566F6C61002D5500766F6C612577656C636F6D65766F6C61002D6D00002D63006475
type=AVC msg=audit(1579258593.970:24108): avc:  denied  { create } for  pid=28408 comm="smbclient" scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=netlink_route_socke
t permissive=0
type=SYSCALL msg=audit(1579258593.970:24108): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=0 a3=0 items=0 ppid=28407 pid=28408 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="smbclient" exe="/usr/bin/smbclient" subj=system_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=socket AUID="unset" UID="nagios" GID="nagios" EUID="nagios" SUID="nagios" FSUID="nagios" EGID="nagios" SGID="nagios" FSGID="nagios"


Additional info:
With "setenforce permissive" check_disk_smb works fine.
Comment 1 Fedora Admin XMLRPC Client 2020-02-25 16:34:57 UTC 
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.
Comment 2 Fedora Admin user for bugzilla script actions 2021-02-20 00:05:39 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Note You need to log in before you can comment on or make changes to this bug.