Bug 1815621
| Summary: | SELinux policy prevents /usr/lib64/nagios/plugins/check_file_age from working via NRPE | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | James Ralston <ralston> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.1 | CC: | florian, jonte.regnell, lvrabec, mmalik, plautrba, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.3 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 01:56:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
We maintain a local SELinux policy module, and I can confirm that the following SELinux boolean, when enabled, resolves the issue: ## <desc> ## <p> ## Permit check_file_age to work. ## </p> ## <p> ## See: https://bugzilla.redhat.com/show_bug.cgi?id=1815621 ## </p> ## </desc> gen_tunable(local_nagios_uses_check_file_age, false) gen_require(` type nagios_admin_plugin_t; type bin_t; class file { execute map }; ') tunable_policy(`local_nagios_uses_check_file_age',` allow nagios_admin_plugin_t bin_t:file { execute map }; ') The check_mailq plugin is affected by the same issue:
type=AVC msg=audit(1585562084.441:29236): avc: denied { map } for pid=20025 comm="check_mailq" path="/usr/bin/perl" dev="dm-0" ino=789560 scontext=system_u:system_r:nagios_mail_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1585562084.441:29236): avc: denied { execute } for pid=20025 comm="check_mailq" path="/usr/bin/perl" dev="dm-0" ino=789560 scontext=system_u:system_r:nagios_mail_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1585562084.441:29236): arch=c000003e syscall=59 success=yes exit=0 a0=14aaf30 a1=14ab280 a2=14aaab0 a3=fffffffffffffa86 items=0 ppid=7568 pid=20025 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="check_mailq" exe="/usr/bin/perl" subj=system_u:system_r:nagios_mail_plugin_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="icinga" GID="icinga" EUID="icinga" SUID="icinga" FSUID="icinga" EGID="icinga" SGID="icinga" FSGID="icinga"
In this case the type is `nagios_mail_plugin_t` and the above policy fixes this if I adjust the types accordingly. This might be needed for all perl plugins?
Florian, James,
There is an attribute:
# seinfo -xanagios_plugin_domain
Type Attributes: 1
attribute nagios_plugin_domain;
nagios_admin_plugin_t
nagios_checkdisk_plugin_t
nagios_eventhandler_plugin_t
nagios_mail_plugin_t
nagios_openshift_plugin_t
nagios_services_plugin_t
nagios_system_plugin_t
nagios_unconfined_plugin_t
which can be used to allow a group of permissions to, in a similar manner to how permissions are allowed to domains.
RHEL 7 seems to have the same issues after 7.8 upgrade. Jonte, FYI: A bz for RHEL 7 has been created, too, now in VERIFIED state: bz#1824625 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4528 |
Description of problem: Current SELinux policy prevents /usr/lib64/nagios/plugins/check_file_age from working in any way when called via NRPE. In RHEL8, check_file_age is a perl script, and SELinux policy blocks perl from being able to execute it: type=AVC msg=audit(1584727714.401:2456): avc: denied { execute } for pid=25648 comm="check_file_age" path="/usr/bin/perl" dev="dm-0" ino=8986739 scontext=system_u:system_r:nagios_admin_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 type=AVC msg=audit(1584727714.401:2456): avc: denied { map } for pid=25648 comm="check_file_age" path="/usr/bin/perl" dev="dm-0" ino=8986739 scontext=system_u:system_r:nagios_admin_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.3-20.el8.noarch How reproducible: Configure an NRPE check to call check_file_age via nrpe.