Description of problem: I'm flooded with logs about check_ssl_version . I know, that this check is not included with nagios packages, but I'll try here. Version-Release number of selected component (if applicable): nagios-common-4.4.6-4.el8.x86_64 nagios-plugins-load-2.3.3-5.el8.x86_64 nagios-plugins-ssh-2.3.3-5.el8.x86_64 nagios-plugins-mailq-2.3.3-5.el8.x86_64 nagios-plugins-nrpe-4.0.3-6.el8.x86_64 nagios-plugins-2.3.3-5.el8.x86_64 nagios-plugins-http-2.3.3-5.el8.x86_64 nagios-plugins-perl-2.3.3-5.el8.x86_64 nagios-plugins-procs-2.3.3-5.el8.x86_64 nagios-plugins-swap-2.3.3-5.el8.x86_64 nagios-4.4.6-4.el8.x86_64 nagios-contrib-4.4.6-4.el8.x86_64 nagios-plugins-mysql-2.3.3-5.el8.x86_64 nagios-plugins-ntp-2.3.3-5.el8.x86_64 nagios-plugins-disk-2.3.3-5.el8.x86_64 nagios-plugins-ping-2.3.3-5.el8.x86_64 nagios-plugins-users-2.3.3-5.el8.x86_64 nagios-plugins-icmp-2.3.3-5.el8.x86_64 How reproducible: Always Steps to Reproduce: 1. install Nagios 2. get ssl plugin from here - https://exchange.nagios.org/directory/Plugins/Network-Protocols/HTTP/check_ssl_cert/details 3. run any checks with it Actual results: Sep 09 08:41:21 s1-2-waw1 setroubleshoot[901553]: SELinux is preventing check_ssl_cert from open access on the file /usr/bin/hostname. For complete SELinux messages run: sealert -l 31162041-8bf2-440d-a509-1719be8aefc6 Sep 09 08:41:21 s1-2-waw1 setroubleshoot[901553]: SELinux is preventing check_ssl_cert from open access on the file /usr/bin/hostname. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that check_ssl_cert should be allowed open access on the hostname file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'check_ssl_cert' --raw | audit2allow -M my-checksslcert # semodule -X 300 -i my-checksslcert.pp Sep 09 08:41:21 s1-2-waw1 setroubleshoot[901553]: AnalyzeThread.run(): Set alarm timeout to 10 Expected results: I expect to let it check hosts file, if it have to. Additional info: Running ausearch -c 'check_ssl_cert' --raw | audit2allow -M my-checksslcert semodule -X 300 -i my-checksslcert.pp does not help. It creates 2 files: # cat my-checksslcert.te module my-checksslcert 1.0; require { type nagios_t; type hostname_exec_t; class file { execute getattr read }; } #============= nagios_t ============== #!!!! This avc is allowed in the current policy allow nagios_t hostname_exec_t:file getattr; allow nagios_t hostname_exec_t:file { execute read }; and # cat my-checksslcert.pp ��|���|�SE Linux Modulemy-checksslcert1.0@fileexecutegetattrreadobject_r@@@@@nagios_t@hostname_exec_t@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@fileobject_rnagios_thostname_exec_troot @ ZAKOPANE-VAR 08:48:36 check_ssl_cert is super popular and maybe it could be implemented in selinux, even if the plugin itself is absent from the packages.
Here is one example alert. # sealert -l 31162041-8bf2-440d-a509-1719be8aefc6 SELinux is preventing check_ssl_cert from open access on the file /usr/bin/hostname. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that check_ssl_cert should be allowed open access on the hostname file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'check_ssl_cert' --raw | audit2allow -M my-checksslcert # semodule -X 300 -i my-checksslcert.pp Additional Information: Source Context system_u:system_r:nagios_t:s0 Target Context system_u:object_r:hostname_exec_t:s0 Target Objects /usr/bin/hostname [ file ] Source check_ssl_cert Source Path check_ssl_cert Port <Unknown> Host s1-2-waw1 Source RPM Packages bash-4.4.19-12.el8.x86_64 Target RPM Packages hostname-3.20-6.el8.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch Local Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name s1-2-waw1 Platform Linux s1-2-waw1 4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64 x86_64 Alert Count 117 First Seen 2021-09-09 08:38:33 CEST Last Seen 2021-09-09 08:53:55 CEST Local ID 31162041-8bf2-440d-a509-1719be8aefc6 Raw Audit Messages type=AVC msg=audit(1631170435.812:169853): avc: denied { open } for pid=917756 comm="check_ssl_cert" path="/usr/bin/hostname" dev="sda1" ino=13478578 scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1631170435.812:169853): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=56553aead4b0 a2=0 a3=0 items=0 ppid=917726 pid=917756 auid=4294967295 uid=989 gid=986 euid=989 suid=989 fsuid=989 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm=check_ssl_cert exe=/usr/bin/bash subj=system_u:system_r:nagios_t:s0 key=(null) Hash: check_ssl_cert,nagios_t,hostname_exec_t,file,open