Bug 748838 - nagios-plugins-linux with nrpe raid fails due to selinux
Summary: nagios-plugins-linux with nrpe raid fails due to selinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-25 13:49 UTC by Sergio Pascual
Modified: 2012-04-22 03:35 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.10.0-84.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-22 03:35:43 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Sergio Pascual 2011-10-25 13:49:53 UTC
Description of problem:
I have nagios-plugins-linux_raid-1.4.15-4.fc16.x86_64 and it doesn't work with nrpe if selinux is enabled.

Version-Release number of selected component (if applicable):
nagios-plugins-linux_raid-1.4.15-4.fc16.x86_64
nrpe-2.12-18.fc16.x86_64
selinux-policy-targeted-3.10.0-46.fc16.noarch

How reproducible:
Always

running audit2allow I get the following:

#============= nagios_checkdisk_plugin_t ==============
allow nagios_checkdisk_plugin_t bin_t:file { read ioctl open getattr };
#!!!! This avc can be allowed using the boolean 'global_ssp'

allow nagios_checkdisk_plugin_t urandom_device_t:chr_file { read open };

and the following avc messages appear in audit.log

type=AVC msg=audit(1319189776.193:35784): avc:  denied  { read } for  pid=1075 comm="check_linux_rai" name="utils.pm" dev=dm-1 ino=1978281 scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1319189776.193:35784): avc:  denied  { open } for  pid=1075 comm="check_linux_rai" name="utils.pm" dev=dm-1 ino=1978281 scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1319189776.193:35785): avc:  denied  { ioctl } for  pid=1075 comm="check_linux_rai" path="/usr/lib64/nagios/plugins/utils.pm" dev=dm-1 ino=1978281 scontext=system_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file

Comment 1 David Kowis 2012-02-08 20:40:42 UTC
I'm also having this problem but for different reasons:

type=AVC msg=audit(1328721441.189:19197): avc:  denied  { read } for  pid=32614 comm="check_nrpe" name="urandom" dev=devtmpfs ino=1033 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1328721441.189:19197): arch=c000003e syscall=2 success=no exit=-13 a0=7f3a9a36e54f a1=900 a2=7f3a9a5b2220 a3=7ffffc37ac70 items=0 ppid=32613 pid=32614 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="check_nrpe" exe="/usr/lib64/nagios/plugins/check_nrpe" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)
type=AVC msg=audit(1328721441.189:19198): avc:  denied  { read } for  pid=32614 comm="check_nrpe" name="random" dev=devtmpfs ino=1032 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1328721441.189:19198): arch=c000003e syscall=2 success=no exit=-13 a0=7f3a9a36e55c a1=900 a2=7f3a9a5b2220 a3=7ffffc37ac70 items=0 ppid=32613 pid=32614 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="check_nrpe" exe="/usr/lib64/nagios/plugins/check_nrpe" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)

Apparently the selinux policy does not allow nrpe to read from /dev/random or /dev/urandom, which causes it to fail to create the SSL tunnel to actually run NRPE commands.

Comment 2 Ricky Zhou 2012-04-15 21:49:02 UTC
Moving to selinux-policy component - this is an issue on Fedora 17 as well.

Comment 3 Miroslav Grepl 2012-04-16 08:40:24 UTC
Also added to F17/RHEL6.

Comment 4 Fedora Update System 2012-04-18 12:53:33 UTC
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16

Comment 5 Fedora Update System 2012-04-22 03:35:43 UTC
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.