Bug 967774 - nrpe_t wants to read the var_t:dir
Summary: nrpe_t wants to read the var_t:dir
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 3.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: 4.0
Assignee: Lon Hohberger
QA Contact: Ami Jeain
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-28 10:02 UTC by Attila Fazekas
Modified: 2016-04-27 04:42 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-03 21:53:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Attila Fazekas 2013-05-28 10:02:20 UTC 
audit2allow </var/log/audit/audit.log


#============= nrpe_t ==============
allow nrpe_t var_t:dir read;
Comment 2 Miroslav Grepl 2013-05-28 11:29:53 UTC 
Could you also attach AVC msgs?
Comment 3 Attila Fazekas 2013-08-12 14:06:32 UTC 
The current massages from the /var/log/audit/audit.log:

type=AVC msg=audit(1376314068.155:52960): avc:  denied  { read } for  pid=7368 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1376314068.155:52960): arch=c000003e syscall=2 success=no exit=-13 a0=7fff09b9df63 a1=100 a2=0 a3=90 items=0 ppid=7367 pid=7368 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1376314668.183:55575): avc:  denied  { read } for  pid=9324 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1376314668.183:55575): arch=c000003e syscall=2 success=no exit=-13 a0=7fff6820ff63 a1=100 a2=0 a3=90 items=0 ppid=9323 pid=9324 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1376315268.610:57882): avc:  denied  { read } for  pid=11096 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1376315268.610:57882): arch=c000003e syscall=2 success=no exit=-13 a0=7fff90a21f63 a1=100 a2=0 a3=90 items=0 ppid=11095 pid=11096 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1376315868.237:60189): avc:  denied  { read } for  pid=12893 comm="df" name="var" dev=vda2 ino=13 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1376315868.237:60189): arch=c000003e syscall=2 success=no exit=-13 a0=7fff49b55f63 a1=100 a2=0 a3=90 items=0 ppid=12892 pid=12893 auid=0 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=231 comm="df" exe="/bin/df" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)


It is a Default packstack installation + nagios is an enabled service.
Comment 4 Miroslav Grepl 2013-08-19 13:00:24 UTC 
We allow it in Fedora.

#============= nrpe_t ==============

#!!!! This avc is allowed in the current policy
allow nrpe_t var_t:dir read;
Comment 5 Miroslav Grepl 2013-08-19 13:04:04 UTC 
And also has been added to RHEL6.5.
Comment 6 Lon Hohberger 2013-12-03 21:53:21 UTC 
This was a RHEL 6.5 bug and is resolved in the 6.5 selinux-policy erratum:

http://rhn.redhat.com/errata/RHBA-2013-1598.html
Note You need to log in before you can comment on or make changes to this bug.