RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 917157 - SELinux blocks Nagios/NRPE plugins which use sudo
Summary: SELinux blocks Nagios/NRPE plugins which use sudo
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks: 1212796
TreeView+ depends on / blocked
 
Reported: 2013-03-01 21:10 UTC by James Ralston
Modified: 2015-05-20 05:27 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1230670 (view as bug list)
Environment:
Last Closed: 2013-11-21 10:18:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description James Ralston 2013-03-01 21:10:58 UTC 
We use Nagios and NRPE to monitor our servers, and we have written some of our own plug-ins for Nagios.

For example, we have a plugin called service-status. It calls the "status" action of the init.d script for the supplied service to determine the health of the service. In most cases, this is superior to (e.g.) grepping the process table in order to determine whether a service is running correctly.

Because some init.d scripts can't properly perform the status() check unless they are run as root, NRPE calls the plugin via sudo, like so:

$ cat /etc/nrpe.d/service-status.cfg
## $ARG1$ = service name
command[service-status]=sudo /usr/libexec/nagios/plugins/service-status $ARG1$

But SELinux policy does not permit nrpe_t to execute sudo:

$ ausearch -m avc -ts today | grep sudo | audit2allow
#============= nrpe_t ==============
allow nrpe_t self:capability audit_write;
allow nrpe_t self:netlink_audit_socket { nlmsg_relay create };
allow nrpe_t sudo_exec_t:file { read getattr open execute execute_no_trans };

I see nothing in the nagios_selinux(8) or nrpe_selinux(8) man pages that provides a mechanism to address this. (Setting the file context on /etc/nrpe.d/service-status.cfg won't help, because nrpe doesn't exec it; nrpe merely reads it.)

We need to have the ability (via a SELinux boolean value, perhaps?) to tell SELinux that it's permissible for nrpe_t to execute sudo.

Versions:

selinux-policy-targeted-3.7.19-195.el6_4.1.noarch
Comment 1 Daniel Walsh 2013-03-04 16:59:42 UTC 
Would this policy work?

dontaudit nrpe_t self:capability audit_write;
dontaudit nrpe_t self:netlink_audit_socket { nlmsg_relay create };
can_exec(nrpe_t, sudo_exec_t)
Comment 2 James Ralston 2013-03-05 06:53:22 UTC 
Hmmm. I created a module to implement the above policy. It almost works, but sudo fails unless it can call sys_ptrace:

type=SYSCALL msg=audit(1362463802.168:100485): arch=c000003e syscall=0 success=yes exit=225 a0=3 a1=7f4904602000 a2=400 a3=22 items=0 ppid=4361 pid=4362 auid=20576 uid=497 gid=497 euid=0 suid=0 fsuid=0 egid=497 sgid=497 fsgid=497 tty=(none) ses=2533 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:nrpe_t:s0 key=(null)

type=AVC msg=audit(1362463802.168:100485): avc:  denied  { sys_ptrace } for  pid=4362 comm="sudo" capability=19  scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:system_r:nrpe_t:s0 tclass=capability

If I change the policy to:

allow nrpe_t self:capability sys_ptrace;
dontaudit nrpe_t self:capability audit_write;
dontaudit nrpe_t self:netlink_audit_socket { nlmsg_relay create };
can_exec(nrpe_t, sudo_exec_t)

...then I see no avc denials.

I'm not sure why sudo needs ptrace, but in enforcing mode, it fails if it doesn't have it.
Comment 4 Sebastian Lehn 2013-08-14 13:50:46 UTC 
Is it possible to get the hotfixed version selinux-policy-3.7.19-210.el6 ?
Comment 5 Milos Malik 2013-08-14 13:54:08 UTC 
http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Comment 6 Sebastian Lehn 2013-08-14 14:41:03 UTC 
(In reply to Milos Malik from comment #5)
> http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/

Thanks for the url. Version selinux-policy-targeted-3.7.19-211.el6 works for me.
I hope to see an official update during the next days.
Comment 7 Daniel Walsh 2013-08-14 15:05:27 UTC 
That is the package that should be in RHEL6.5
Comment 9 errata-xmlrpc 2013-11-21 10:18:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html
Note You need to log in before you can comment on or make changes to this bug.