2002540 – SELinux is preventing check_ssl_cert from open access on the file /usr/bin/hostname

Bug 2002540 - SELinux is preventing check_ssl_cert from open access on the file /usr/bin/hostname

Summary: SELinux is preventing check_ssl_cert from open access on the file /usr/bin/ho...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	nagios
Sub Component:
Version:	epel8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Guido Aulisi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-09-09 06:54 UTC by Łukasz Posadowski
Modified:	2021-09-09 06:56 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Łukasz Posadowski 2021-09-09 06:54:51 UTC

Description of problem:
I'm flooded with logs about check_ssl_version . I know, that this check is not included with nagios packages, but I'll try here.

Version-Release number of selected component (if applicable):
nagios-common-4.4.6-4.el8.x86_64
nagios-plugins-load-2.3.3-5.el8.x86_64
nagios-plugins-ssh-2.3.3-5.el8.x86_64
nagios-plugins-mailq-2.3.3-5.el8.x86_64
nagios-plugins-nrpe-4.0.3-6.el8.x86_64
nagios-plugins-2.3.3-5.el8.x86_64
nagios-plugins-http-2.3.3-5.el8.x86_64
nagios-plugins-perl-2.3.3-5.el8.x86_64
nagios-plugins-procs-2.3.3-5.el8.x86_64
nagios-plugins-swap-2.3.3-5.el8.x86_64
nagios-4.4.6-4.el8.x86_64
nagios-contrib-4.4.6-4.el8.x86_64
nagios-plugins-mysql-2.3.3-5.el8.x86_64
nagios-plugins-ntp-2.3.3-5.el8.x86_64
nagios-plugins-disk-2.3.3-5.el8.x86_64
nagios-plugins-ping-2.3.3-5.el8.x86_64
nagios-plugins-users-2.3.3-5.el8.x86_64
nagios-plugins-icmp-2.3.3-5.el8.x86_64


How reproducible:
Always

Steps to Reproduce:
1. install Nagios
2. get ssl plugin from here - https://exchange.nagios.org/directory/Plugins/Network-Protocols/HTTP/check_ssl_cert/details 
3. run any checks with it

Actual results:
Sep 09 08:41:21 s1-2-waw1 setroubleshoot[901553]: SELinux is preventing check_ssl_cert from open access on the file /usr/bin/hostname. For complete SELinux messages run: sealert -l 31162041-8bf2-440d-a509-1719be8aefc6
Sep 09 08:41:21 s1-2-waw1 setroubleshoot[901553]: SELinux is preventing check_ssl_cert from open access on the file /usr/bin/hostname.
                                                  
                                                  *****  Plugin catchall (100. confidence) suggests   **************************
                                                  
                                                  If you believe that check_ssl_cert should be allowed open access on the hostname file by default.
                                                  Then you should report this as a bug.
                                                  You can generate a local policy module to allow this access.
                                                  Do
                                                  allow this access for now by executing:
                                                  # ausearch -c 'check_ssl_cert' --raw | audit2allow -M my-checksslcert
                                                  # semodule -X 300 -i my-checksslcert.pp
                                                  
Sep 09 08:41:21 s1-2-waw1 setroubleshoot[901553]: AnalyzeThread.run(): Set alarm timeout to 10


Expected results:
I expect to let it check hosts file, if it have to.

Additional info:
Running
ausearch -c 'check_ssl_cert' --raw | audit2allow -M my-checksslcert
semodule -X 300 -i my-checksslcert.pp
does not help.

It creates 2 files:

# cat my-checksslcert.te
module my-checksslcert 1.0;

require {
	type nagios_t;
	type hostname_exec_t;
	class file { execute getattr read };
}

#============= nagios_t ==============

#!!!! This avc is allowed in the current policy
allow nagios_t hostname_exec_t:file getattr;
allow nagios_t hostname_exec_t:file { execute read };

and

# cat my-checksslcert.pp
��|���|�SE Linux Modulemy-checksslcert1.0@fileexecutegetattrreadobject_r@@@@@nagios_t@hostname_exec_t@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@fileobject_rnagios_thostname_exec_troot @ ZAKOPANE-VAR 08:48:36  

check_ssl_cert is super popular and maybe it could be implemented in selinux, even if the plugin itself is absent from the packages.

Comment 1 Łukasz Posadowski 2021-09-09 06:56:22 UTC

Here is one example alert.

# sealert -l 31162041-8bf2-440d-a509-1719be8aefc6
SELinux is preventing check_ssl_cert from open access on the file /usr/bin/hostname.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that check_ssl_cert should be allowed open access on the hostname file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'check_ssl_cert' --raw | audit2allow -M my-checksslcert
# semodule -X 300 -i my-checksslcert.pp


Additional Information:
Source Context                system_u:system_r:nagios_t:s0
Target Context                system_u:object_r:hostname_exec_t:s0
Target Objects                /usr/bin/hostname [ file ]
Source                        check_ssl_cert
Source Path                   check_ssl_cert
Port                          <Unknown>
Host                          s1-2-waw1
Source RPM Packages           bash-4.4.19-12.el8.x86_64
Target RPM Packages           hostname-3.20-6.el8.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     s1-2-waw1
Platform                      Linux s1-2-waw1 4.18.0-240.22.1.el8_3.x86_64 #1
                              SMP Thu Apr 8 19:01:30 UTC 2021 x86_64 x86_64
Alert Count                   117
First Seen                    2021-09-09 08:38:33 CEST
Last Seen                     2021-09-09 08:53:55 CEST
Local ID                      31162041-8bf2-440d-a509-1719be8aefc6

Raw Audit Messages
type=AVC msg=audit(1631170435.812:169853): avc:  denied  { open } for  pid=917756 comm="check_ssl_cert" path="/usr/bin/hostname" dev="sda1" ino=13478578 scontext=system_u:system_r:nagios_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1631170435.812:169853): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=56553aead4b0 a2=0 a3=0 items=0 ppid=917726 pid=917756 auid=4294967295 uid=989 gid=986 euid=989 suid=989 fsuid=989 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm=check_ssl_cert exe=/usr/bin/bash subj=system_u:system_r:nagios_t:s0 key=(null)

Hash: check_ssl_cert,nagios_t,hostname_exec_t,file,open

Note You need to log in before you can comment on or make changes to this bug.