Bug 768055 - SELinux silent denials of Nagios NRPE check of /boot
Summary: SELinux silent denials of Nagios NRPE check of /boot
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-15 16:26 UTC by moshe
Modified: 2014-09-30 23:33 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 12:29:44 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0780 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-06-19 20:34:59 UTC

Description moshe 2011-12-15 16:26:30 UTC 
Description of problem:
SE Linux silently denies the nagios check_disk plugin to check /boot when executed via the NRPE daemon.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Set up nrpe to execute the following check: command[check_boot]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /boot

2. Activate the NRPE check from other host: /usr/lib64/nagios/plugins/check_nrpe -H TESTHOST.redhat.com -c check_boot

  
Actual results:

DISK CRITICAL - /boot is not accessible: Permission denied

Expected results:

DISK OK - free space: /boot 167 MB (77% inode=99%);| /boot=47MB;203;214;0;226

Additional info:


I had to run 'semodule -DB' to actually get any output about this in audit.log

Once I did, and turned off enforcing, the following is a dump of the relevant entries:


type=AVC msg=audit(1323966375.648:38669): avc:  denied  { getattr } for  pid=27971 comm="sh" path="/root" dev=vda3 ino=372417 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1323966375.648:38669): arch=c000003e syscall=4 success=yes exit=0 a0=cd4430 a1=7fff5c081440 a2=7fff5c081440 a3=3d04d250e0 items=0 ppid=27970 pid=27971 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=20 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1323966375.648:38670): avc:  denied  { read write } for  pid=27971 comm="check_disk" path="socket:[1026787]" dev=sockfs ino=1026787 scontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=unconfined_u:system_r:nrpe_t:s0 tclass=tcp_socket
type=AVC msg=audit(1323966375.648:38670): avc:  denied  { rlimitinh } for  pid=27971 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process
type=AVC msg=audit(1323966375.648:38670): avc:  denied  { siginh } for  pid=27971 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process
type=AVC msg=audit(1323966375.648:38670): avc:  denied  { noatsecure } for  pid=27971 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process
type=SYSCALL msg=audit(1323966375.648:38670): arch=c000003e syscall=59 success=yes exit=0 a0=cd9580 a1=cd95e0 a2=cd7690 a3=40 items=0 ppid=27970 pid=27971 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=20 comm="check_disk" exe="/usr/lib64/nagios/plugins/check_disk" subj=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null)
type=AVC msg=audit(1323966375.650:38671): avc:  denied  { getattr } for  pid=27971 comm="check_disk" path="/boot" dev=vda1 ino=2 scontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir
type=SYSCALL msg=audit(1323966375.650:38671): arch=c000003e syscall=4 success=yes exit=0 a0=7fffcb59c782 a1=10c0090 a2=10c0090 a3=10 items=0 ppid=27970 pid=27971 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=20 comm="check_disk" exe="/usr/lib64/nagios/plugins/check_disk" subj=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 key=(null)
Comment 2 Ben Webb 2012-01-01 19:41:56 UTC 
I'm seeing similar behavior with both the Nagios check_disk and check_nagios plugins when confined by selinux-policy-targeted-3.7.19-126.el6_2.4.noarch. These plugins worked fine with RHEL6.1, and haven't changed in EPEL between 6.1 and 6.2.

With the following in nrpe.cfg:

command[check_nagios]=/usr/lib64/nagios/plugins/check_nagios -e 10 -F /var/log/nagios/status.dat -C /usr/sbin/nagios
command[check_alldisks]=/usr/lib64/nagios/plugins/check_disk --stat-remote-fs -e -x gvfs-fuse-daemon -x nfsd -x nodev -x sysfs -x devpts -x tmpfs -x none -x sunrpc

We can try the checks with something like
/usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_nagios
/usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_alldisks

The check_nagios check gives the following avcs:
Jan  1 11:24:17 triangle kernel: type=1400 audit(1325445857.766:443): avc:  denied  { search } for  pid=9051 comm="check_nagios" name="log" dev=cciss!c0d0p3 ino=307 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
Jan  1 11:24:17 triangle kernel: type=1400 audit(1325445857.848:444): avc:  denied  { search } for  pid=9051 comm="check_nagios" name="nagios" dev=cciss!c0d0p3 ino=1136 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=dir
Jan  1 11:24:18 triangle kernel: type=1400 audit(1325445857.930:445): avc:  denied  { read } for  pid=9051 comm="check_nagios" name="status.dat" dev=cciss!c0d0p3 ino=104 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file

While check_disk gives the following:
Jan  1 11:20:38 triangle kernel: type=1400 audit(1325445638.539:6): avc:  denied  { getattr } for  pid=7525 comm="check_disk" name="/" dev=cciss!c0d0p1 ino=2 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Jan  1 11:20:38 triangle kernel: type=1400 audit(1325445638.618:7): avc:  denied  { getattr } for  pid=7525 comm="check_disk" name="/" dev=proc ino=1 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem

The checks both succeed if SELinux is put into permissive mode.

I have worked around these problems for the time being with
chcon -t nagios_unconfined_plugin_exec_t check_nagios check_disk

but it would be preferable if SELinux policy were fixed so these plugins continued to work as in 6.1.
Comment 3 Miroslav Grepl 2012-01-02 08:05:22 UTC 
I added fixes to Fedora and will backport.
Comment 7 piotr.popieluch 2012-03-26 08:39:14 UTC 
Is there a workaround available? When is the fix expected to be included?
Comment 8 Miroslav Grepl 2012-03-26 08:50:21 UTC 
Yes, you can download the latest policy from

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Comment 10 errata-xmlrpc 2012-06-20 12:29:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html
Note You need to log in before you can comment on or make changes to this bug.