View Issue Details

IDProjectCategoryView StatusLast Update
0015585CentOS-7selinux-policypublic2019-02-21 11:53
Reporteryorick 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformOSCentosOS Version7.6.1810
Product Version 
Target VersionFixed in Version 
Summary0015585: SELinux is preventing /usr/lib64/nagios/plugins/check_mailq from checking postfix mailq. since CentOS 7.6
DescriptionSELINUX is preventing check_mailq from running properly.

### AVC denied. ####
msg=audit(1544537618.291:81322): avc: denied { read write } for pid=45806 comm="check_mailq" path="socket:[11479019]" dev="sockfs" ino=11479019 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nrpe_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1544537618.291:81322): avc: denied { rlimitinh } for pid=45806 comm="check_mailq" scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=process permissive=1
type=AVC msg=audit(1544537618.291:81322): avc: denied { siginh } for pid=45806 comm="check_mailq" scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=process permissive=1
type=AVC msg=audit(1544537618.291:81322): avc: denied { noatsecure } for pid=45806 comm="check_mailq" scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=process permissive=1
type=AVC msg=audit(1544537618.344:81323): avc: denied { execute } for pid=45807 comm="check_mailq" name="sudo" dev="dm-0" ino=35930127 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.344:81323): avc: denied { read open } for pid=45807 comm="check_mailq" path="/usr/bin/sudo" dev="dm-0" ino=35930127 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.344:81323): avc: denied { execute_no_trans } for pid=45807 comm="check_mailq" path="/usr/bin/sudo" dev="dm-0" ino=35930127 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.348:81324): avc: denied { create } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1
type=AVC msg=audit(1544537618.348:81325): avc: denied { bind } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1
type=AVC msg=audit(1544537618.348:81326): avc: denied { getattr } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1
type=AVC msg=audit(1544537618.348:81327): avc: denied { write } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1
type=AVC msg=audit(1544537618.348:81327): avc: denied { nlmsg_read } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1
type=AVC msg=audit(1544537618.348:81328): avc: denied { read } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_route_socket permissive=1
type=AVC msg=audit(1544537618.352:81329): avc: denied { setuid } for pid=45807 comm="sudo" capability=7 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1544537618.352:81330): avc: denied { setgid } for pid=45807 comm="sudo" capability=6 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1544537618.354:81331): avc: denied { sys_resource } for pid=45807 comm="sudo" capability=24 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1544537618.354:81331): avc: denied { setrlimit } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=process permissive=1
type=AVC msg=audit(1544537618.365:81332): avc: denied { execute } for pid=45808 comm="sudo" name="unix_chkpwd" dev="dm-0" ino=67288967 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.365:81332): avc: denied { read open } for pid=45808 comm="sudo" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=67288967 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.365:81332): avc: denied { execute_no_trans } for pid=45808 comm="sudo" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=67288967 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.367:81333): avc: denied { read } for pid=45808 comm="unix_chkpwd" name="shadow" dev="dm-0" ino=70013445 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.367:81333): avc: denied { open } for pid=45808 comm="unix_chkpwd" path="/etc/shadow" dev="dm-0" ino=70013445 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.367:81334): avc: denied { getattr } for pid=45808 comm="unix_chkpwd" path="/etc/shadow" dev="dm-0" ino=70013445 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.367:81335): avc: denied { create } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1544537618.368:81336): avc: denied { write } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1544537618.368:81336): avc: denied { nlmsg_relay } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1544537618.368:81336): avc: denied { audit_write } for pid=45807 comm="sudo" capability=29 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1544537618.368:81338): avc: denied { read } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1544537618.369:81341): avc: denied { setsched } for pid=45807 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=process permissive=1
type=AVC msg=audit(1544537618.369:81342): avc: denied { net_admin } for pid=45807 comm="sudo" capability=12 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1544537618.369:81343): avc: denied { search } for pid=45807 comm="sudo" name="dbus" dev="tmpfs" ino=29495 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1544537618.392:81345): avc: denied { execute } for pid=45809 comm="sudo" name="sendmail.postfix" dev="dm-0" ino=68328044 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.392:81345): avc: denied { read open } for pid=45809 comm="sudo" path="/usr/lib64/plesk-9.0/sendmail/sendmail.postfix" dev="dm-0" ino=68328044 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.392:81345): avc: denied { execute_no_trans } for pid=45809 comm="sudo" path="/usr/lib64/plesk-9.0/sendmail/sendmail.postfix" dev="dm-0" ino=68328044 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.399:81346): avc: denied { execute } for pid=45809 comm="mailq" name="postqueue" dev="dm-0" ino=68449872 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:postfix_postqueue_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.399:81346): avc: denied { read open } for pid=45809 comm="mailq" path="/usr/sbin/postqueue" dev="dm-0" ino=68449872 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:postfix_postqueue_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537618.399:81346): avc: denied { execute_no_trans } for pid=45809 comm="mailq" path="/usr/sbin/postqueue" dev="dm-0" ino=68449872 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:postfix_postqueue_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537714.982:81407): avc: denied { connectto } for pid=46208 comm="postqueue" path="/var/spool/postfix/public/showq" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1544537852.367:81494): avc: denied { write } for pid=47190 comm="sudo" name="log" dev="devtmpfs" ino=311 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1544537852.392:81498): avc: denied { read } for pid=47192 comm="mailq" name="main.cf" dev="dm-0" ino=2770958 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=unconfined_u:object_r:postfix_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537852.392:81498): avc: denied { open } for pid=47192 comm="mailq" path="/etc/postfix/main.cf" dev="dm-0" ino=2770958 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=unconfined_u:object_r:postfix_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537852.392:81499): avc: denied { getattr } for pid=47192 comm="mailq" path="/etc/postfix/main.cf" dev="dm-0" ino=2770958 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=unconfined_u:object_r:postfix_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544537852.392:81500): avc: denied { create } for pid=47192 comm="mailq" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1544537852.400:81501): avc: denied { write } for pid=47192 comm="postqueue" name="showq" dev="dm-0" ino=34367853 scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1544537852.408:81502): avc: denied { connectto } for pid=47190 comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=USER_AVC msg=audit(1544539909.518:82692): pid=5323 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.8166 spid=5333 tpid=55270 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1544539919.990:82694): avc: denied { write } for pid=55236 comm="sudo" scontext=system_u:system_r:nagios_system_plugin_t:s0 tcontext=system_u:system_r:nagios_system_plugin_t:s0 tclass=key permissive=1

# Opinion

The package is EPEL maintained and should run out of the box without any issues.
Steps To Reproduce# On the client.
Upgrade from CentOS 7.5 to 7.6.

Installed packages:
nagios-plugins-mailq-2.2.1-9git5c7eb5b9.el7.x86_64
nagios-plugins-2.2.1-9git5c7eb5b9.el7.x86_64
nrpe-3.2.1-8.el7.x86_64

# Nagios server
Call /usr/local/nagios-3.3.1/libexec/check_nrpe -H ${hostname} -c check_postfixq



Additional InformationKernel: 3.10.0-957.1.3.el7.x86_64
selinux-policy-3.13.1-229.el7_6.6.noarch
selinux-policy-targeted-3.13.1-229.el7_6.6.noarch
TagsNo tags attached.
abrt_hash
URL

Activities

ledzepp4eva

ledzepp4eva

2019-01-16 14:46

reporter   ~0033604

Found this will looking at the similar issue
type=USER_AVC msg=audit(1547648760.587:866): pid=12383 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=24465 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

generates after 30 seconds the following error in the system logs
Jan 16 14:25:23 11 dbus[12383]: [system] Connection has not authenticated soon enough, closing it (auth_timeout=30000ms, elapsed: 30008ms)


selinux-policy-3.13.1-229.el7_6.6.noarch
selinux-policy-targeted-3.13.1-229.el7_6.6.noarch
kernel-3.10.0-957.1.3.el7.x86_64

This is being triggered when Zabbix attempts to run commands using sudo
zabbix ALL=(ALL) NOPASSWD: /usr/bin/ls, /usr/bin/python, /usr/bin/pdns_control, /usr/sbin/smartctl,/etc/zabbix/scripts/smartctl-disks-discovery.pl
Defaults:zabbix !requiretty
Defaults:zabbix visiblepw

For example trying to pull stats from powerDNS

Jan 16 14:41:40 11 zabbix_agentd[23615]: failed to kill [/usr/bin/sudo /usr/bin/pdns_control show recursing-questions]: [1] Operation not permitted

I have other servers doing the same zabbix monitoring operation on the previous selinux-policy and kernel versions and aren't having and problems
kernel-3.10.0-862.14.4.el7.x86_64
selinux-policy-3.13.1-192.el7_5.6.noarch
selinux-policy-targeted-3.13.1-192.el7_5.6.noarch

By setting selinux to permissive resolves the issue.

Issue History

Date Modified Username Field Change
2018-12-14 14:42 yorick New Issue
2019-01-16 14:46 ledzepp4eva Note Added: 0033604