Description of problem: The Nagios check_procs plugin has a -u option to only check processes belonging to a named user. It consequently needs to read /etc/passwd. However, SELinux prevents it from doing this. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-125.fc17.noarch nagios-plugins-procs-1.4.15-5.fc17.x86_64 How reproducible: Always. Steps to Reproduce: 1. Set up the Nagios check_procs plugin on a Fedora 17 machine; I install nrpe, and add the following to /etc/nagios/nrpe.cfg: command[check_ntpd]=/usr/lib64/nagios/plugins/check_procs -u ntp -C ntpd -w 1:1 -c 1:1 2. Check the plugin (I run on my Nagios server "/usr/lib64/nagios/plugins/check_nrpe -H <f17machine> -c check_ntpd") Actual results: AVC on the Fedora 17 machine: May 30 17:09:42 f17machine kernel: [ 1887.911663] type=1400 audit(1338422982.262:48): avc: denied { read } for pid=11373 comm="check_procs" name="passwd" dev="sda1" ino=421537 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file check_nrpe on the Nagios server fails with: check_procs: User name was not found - ntp Expected results: No AVC; Nagios server reports: PROCS OK: 1 process with UID = 38 (ntp), command name 'ntpd' Additional info: Temporary workaround: chcon -t nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_procs
Great analysis. Fixed in selinux-policy-3.10.0-129.fc17
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17
Package selinux-policy-3.10.0-130.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.