Bug 1856716 - SELinux is preventing check_mailq from execute access on the file /usr/bin/perl
Summary: SELinux is preventing check_mailq from execute access on the file /usr/bin/perl
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nagios-plugins
Version: epel8
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Guido Aulisi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-14 09:39 UTC by rgessner
Modified: 2021-02-20 00:05 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description rgessner 2020-07-14 09:39:10 UTC 
Description of problem:

The check_mailq nagios plugin can not be used by nrpe with SELinux enabled.



Additional info:

SELinux is preventing check_mailq from execute access on the file /usr/bin/perl.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that check_mailq should be allowed execute access on the perl file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'check_mailq' --raw | audit2allow -M my-checkmailq
# semodule -X 300 -i my-checkmailq.pp


Additional Information:
Source Context                system_u:system_r:nagios_mail_plugin_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/bin/perl [ file ]
Source                        check_mailq
Source Path                   check_mailq
Port                          <Unknown>
Host                          hypxxxxxxxxxxxxx
Source RPM Packages           
Target RPM Packages           perl-interpreter-5.26.3-416.el8.x86_64
Policy RPM                    selinux-policy-3.14.3-41.el8_2.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hyperion.x4r.net
Platform                      Linux hypxxxxxxxxxxx 4.18.0-193.6.3.el8_2.x86_64
                              #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64
Alert Count                   2
First Seen                    2020-07-14 11:20:27 CEST
Last Seen                     2020-07-14 11:30:27 CEST
Local ID                      dfc86828-4668-4f56-95cb-bfd11045e879

Raw Audit Messages
type=AVC msg=audit(1594719027.924:107423): avc:  denied  { execute } for  pid=189695 comm="check_mailq" path="/usr/bin/perl" dev="dm-1" ino=201702604 scontext=system_u:system_r:nagios_mail_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0


Hash: check_mailq,nagios_mail_plugin_t,bin_t,file,execute
Comment 1 Stefano Biagiotti 2020-12-10 11:16:29 UTC 
Similar issue here with nagios-plugins-file_age-2.3.3-4.el8.x86_64

type=AVC msg=audit(1607595433.491:1068109): avc:  denied  { map } for  pid=3861499 comm="check_file_age" path="/usr/bin/perl" dev="dm-0" ino=50334503 scontext=system_u:system_r:nagios_admin_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
Comment 2 Fedora Admin user for bugzilla script actions 2021-02-20 00:05:37 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Note You need to log in before you can comment on or make changes to this bug.