View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0015585 | CentOS-7 | selinux-policy | public | 2018-12-14 14:42 | 2020-05-19 22:03 |
| Reporter | yorick | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| OS | Centos | OS Version | 7.6.1810 | ||
| Summary | 0015585: SELinux is preventing /usr/lib64/nagios/plugins/check_mailq from checking postfix mailq. since CentOS 7.6 | ||||
| Description | SELINUX is preventing check_mailq from running properly. ### AVC denied. #### msg=audit(1544537618.291:81322): avc: denied { read write } for pid=45806 comm="check_mailq" path="socket:[11479019]" dev="sockfs" ino=11479019 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nrpe_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1544537618.291:81322): avc: denied { rlimitinh } for pid=45806 comm="check_mailq" scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=process permissive=1 type=AVC msg=audit(1544537618.291:81322): avc: denied { siginh } for pid=45806 comm="check_mailq" scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=process permissive=1 type=AVC msg=audit(1544537618.291:81322): avc: denied { noatsecure } for pid=45806 comm="check_mailq" scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=process permissive=1 type=AVC msg=audit(1544537618.344:81323): avc: denied { execute } for pid=45807 comm="check_mailq" name="sudo" dev="dm-0" ino=35930127 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.344:81323): avc: denied { read open } for pid=45807 comm="check_mailq" path="/usr/bin/sudo" dev="dm-0" ino=35930127 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.344:81323): avc: denied { execute_no_trans } for pid=45807 comm="check_mailq" path="/usr/bin/sudo" dev="dm-0" ino=35930127 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.348:81324): avc: denied { create } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1 type=AVC msg=audit(1544537618.348:81325): avc: denied { bind } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1 type=AVC msg=audit(1544537618.348:81326): avc: denied { getattr } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1 type=AVC msg=audit(1544537618.348:81327): avc: denied { write } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1 type=AVC msg=audit(1544537618.348:81327): avc: denied { nlmsg_read } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1 type=AVC msg=audit(1544537618.348:81328): avc: denied { read } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1 type=AVC msg=audit(1544537618.352:81329): avc: denied { setuid } for pid=45807 comm="sudo" capability=7 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1544537618.352:81330): avc: denied { setgid } for pid=45807 comm="sudo" capability=6 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1544537618.354:81331): avc: denied { sys_resource } for pid=45807 comm="sudo" capability=24 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1544537618.354:81331): avc: denied { setrlimit } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=process permissive=1 type=AVC msg=audit(1544537618.365:81332): avc: denied { execute } for pid=45808 comm="sudo" name="unix_chkpwd" dev="dm-0" ino=67288967 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.365:81332): avc: denied { read open } for pid=45808 comm="sudo" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=67288967 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.365:81332): avc: denied { execute_no_trans } for pid=45808 comm="sudo" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=67288967 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.367:81333): avc: denied { read } for pid=45808 comm="unix_chkpwd" name="shadow" dev="dm-0" ino=70013445 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.367:81333): avc: denied { open } for pid=45808 comm="unix_chkpwd" path="/etc/shadow" dev="dm-0" ino=70013445 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.367:81334): avc: denied { getattr } for pid=45808 comm="unix_chkpwd" path="/etc/shadow" dev="dm-0" ino=70013445 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.367:81335): avc: denied { create } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1544537618.368:81336): avc: denied { write } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1544537618.368:81336): avc: denied { nlmsg_relay } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1544537618.368:81336): avc: denied { audit_write } for pid=45807 comm="sudo" capability=29 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1544537618.368:81338): avc: denied { read } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1544537618.369:81341): avc: denied { setsched } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=process permissive=1 type=AVC msg=audit(1544537618.369:81342): avc: denied { net_admin } for pid=45807 comm="sudo" capability=12 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1544537618.369:81343): avc: denied { search } for pid=45807 comm="sudo" name="dbus" dev="tmpfs" ino=29495 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1544537618.392:81345): avc: denied { execute } for pid=45809 comm="sudo" name="sendmail.postfix" dev="dm-0" ino=68328044 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.392:81345): avc: denied { read open } for pid=45809 comm="sudo" path="/usr/lib64/plesk-9.0/sendmail/sendmail.postfix" dev="dm-0" ino=68328044 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.392:81345): avc: denied { execute_no_trans } for pid=45809 comm="sudo" path="/usr/lib64/plesk-9.0/sendmail/sendmail.postfix" dev="dm-0" ino=68328044 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.399:81346): avc: denied { execute } for pid=45809 comm="mailq" name="postqueue" dev="dm-0" ino=68449872 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:postfix_postqueue_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.399:81346): avc: denied { read open } for pid=45809 comm="mailq" path="/usr/sbin/postqueue" dev="dm-0" ino=68449872 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:postfix_postqueue_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537618.399:81346): avc: denied { execute_no_trans } for pid=45809 comm="mailq" path="/usr/sbin/postqueue" dev="dm-0" ino=68449872 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:postfix_postqueue_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537714.982:81407): avc: denied { connectto } for pid=46208 comm="postqueue" path="/var/spool/postfix/public/showq" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1544537852.367:81494): avc: denied { write } for pid=47190 comm="sudo" name="log" dev="devtmpfs" ino=311 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1544537852.392:81498): avc: denied { read } for pid=47192 comm="mailq" name="main.cf" dev="dm-0" ino=2770958 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=unconfined_u:object_r:postfix_etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537852.392:81498): avc: denied { open } for pid=47192 comm="mailq" path="/etc/postfix/main.cf" dev="dm-0" ino=2770958 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=unconfined_u:object_r:postfix_etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537852.392:81499): avc: denied { getattr } for pid=47192 comm="mailq" path="/etc/postfix/main.cf" dev="dm-0" ino=2770958 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=unconfined_u:object_r:postfix_etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544537852.392:81500): avc: denied { create } for pid=47192 comm="mailq" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1544537852.400:81501): avc: denied { write } for pid=47192 comm="postqueue" name="showq" dev="dm-0" ino=34367853 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1544537852.408:81502): avc: denied { connectto } for pid=47190 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 type=USER_AVC msg=audit(1544539909.518:82692): pid=5323 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.8166 spid=5333 tpid=55270 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1544539919.990:82694): avc: denied { write } for pid=55236 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=key permissive=1 # Opinion The package is EPEL maintained and should run out of the box without any issues. | ||||
| Steps To Reproduce | # On the client. Upgrade from CentOS 7.5 to 7.6. Installed packages: nagios-plugins-mailq-2.2.1-9git5c7eb5b9.el7.x86_64 nagios-plugins-2.2.1-9git5c7eb5b9.el7.x86_64 nrpe-3.2.1-8.el7.x86_64 # Nagios server Call /usr/local/nagios-3.3.1/libexec/check_nrpe -H ${hostname} -c check_postfixq | ||||
| Additional Information | Kernel: 3.10.0-957.1.3.el7.x86_64 selinux-policy-3.13.1-229.el7_6.6.noarch selinux-policy-targeted-3.13.1-229.el7_6.6.noarch | ||||
| Tags | No tags attached. | ||||
| abrt_hash | |||||
| URL | |||||
 |
Found this will looking at the similar issue type=USER_AVC msg=audit(1547648760.587:866): pid=12383 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=24465 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' generates after 30 seconds the following error in the system logs Jan 16 14:25:23 11 dbus[12383]: [system] Connection has not authenticated soon enough, closing it (auth_timeout=30000ms, elapsed: 30008ms) selinux-policy-3.13.1-229.el7_6.6.noarch selinux-policy-targeted-3.13.1-229.el7_6.6.noarch kernel-3.10.0-957.1.3.el7.x86_64 This is being triggered when Zabbix attempts to run commands using sudo zabbix ALL=(ALL) NOPASSWD: /usr/bin/ls, /usr/bin/python, /usr/bin/pdns_control, /usr/sbin/smartctl,/etc/zabbix/scripts/smartctl-disks-discovery.pl Defaults:zabbix !requiretty Defaults:zabbix visiblepw For example trying to pull stats from powerDNS Jan 16 14:41:40 11 zabbix_agentd[23615]: failed to kill [/usr/bin/sudo /usr/bin/pdns_control show recursing-questions]: [1] Operation not permitted I have other servers doing the same zabbix monitoring operation on the previous selinux-policy and kernel versions and aren't having and problems kernel-3.10.0-862.14.4.el7.x86_64 selinux-policy-3.13.1-192.el7_5.6.noarch selinux-policy-targeted-3.13.1-192.el7_5.6.noarch By setting selinux to permissive resolves the issue. |
|
|
See Redhat Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1824625 Until the issue is fixed, the workaround is: 1. $ cat > nagios_execute_bin.cil << EOF (allow nagios_mail_plugin_t bin_t (file (execute execute_no_trans getattr ioctl lock map open read))) EOF 2. $ semodule -i nagios_execute_bin.cil |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2018-12-14 14:42 | yorick | New Issue | |
| 2019-01-16 14:46 | ledzepp4eva | Note Added: 0033604 | |
| 2020-05-19 22:03 | porjo | Note Added: 0036965 |
