Using NRPE with sudo on RHEL6

Dennis Kuhlmeier kuhlmeier at riege.com
Wed Mar 23 14:42:31 CET 2011
Previous message: Donwtime_sched not working correctly
Next message: Hiding service checks from certain contact_groups ...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,

one new thing about RHEL6 is a somewhat more strict sudo approach
combined with SELinux.

I have nrpe running as user nagios, using sudo logged on as user
nagios is not an issue, works fine.

But nrpe running as a daemon cannot sudo to root, which I need for
several check scripts. No problem in permissive mode.

sealert output:

<---snip--->

$ sealert -l 666fd015-e7a0-4e28-9d5f-ba95689bb549

Summary:

SELinux is preventing /bin/bash "getattr" access on /usr/bin/sudo.

Detailed Description:

SELinux denied access requested by sh. It is not expected that this
access is
required by sh and this access may signal an intrusion attempt. It
is also
possible that the specific version or configuration of the
application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please
file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:nrpe_t:s0
Target Context                system_u:object_r:sudo_exec_t:s0
Target Objects                /usr/bin/sudo [ file ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          hostname.domain.de
Source RPM Packages           bash-4.1.2-3.el6
Target RPM Packages           sudo-1.7.2p2-9.el6
Policy RPM                    selinux-policy-3.7.19-54.el6_0.3
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hostname.domain.de
Platform                      Linux hostname.domain.de
                              2.6.32-71.18.2.el6.x86_64 #1 SMP Wed Mar 2
                              14:17:40 EST 2011 x86_64 x86_64
Alert Count                   150
First Seen                    Fri Mar 18 18:17:03 2011
Last Seen                     Wed Mar 23 14:17:00 2011
Local ID                      666fd015-e7a0-4e28-9d5f-ba95689bb549
Line Numbers

Raw Audit Messages

node=hostname.domain.de type=AVC msg=audit(1300886220.376:22605):
avc:  denied  { getattr } for  pid=18437 comm="sh"
path="/usr/bin/sudo" dev=dm-1 ino=191489
scontext=unconfined_u:system_r:nrpe_t:s0
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file

node=hostname.domain.de type=SYSCALL
msg=audit(1300886220.376:22605): arch=c000003e syscall=4 success=no
exit=-13 a0=14daeb0 a1=7fffb93d9c40 a2=7fffb93d9c40 a3=e items=0
ppid=18436 pid=18437 auid=500 uid=495 gid=493 euid=495 suid=495
fsuid=495 egid=493 sgid=493 fsgid=493 tty=(none) ses=26 comm="sh"
exe="/bin/bash" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)

<---snip--->

I have managed to build a local SELinux policy for this issue, but
then another issue comes up. Before I keep building local policies
and having to install them on all RHEL6 hosts, is there a simpler,
known approach to this?

Have been struggling with info found here:
http://www.0x61.com/forum/selinux-security-f278/sudo-selinux-t1304141.html

But I am still unsatisfied with the complexity of this issue which I
can't be the only one to suffer from - and I haven't solved it yet.

Disabling SELinux is not an option.

Thanks for any insight on this,

Dennis



-- 
..............................................................
Riege Software International GmbH  Fon: +49 (2159) 9148 0
Mollsfeld 10                       Fax: +49 (2159) 9148 11
40670 Meerbusch                    Web: www.riege.com
Germany                            E-Mail: kuhlmeier at riege.com
---                                ---
Handelsregister:                   Managing Directors:
Amtsgericht Neuss HRB-NR 4207      Christian Riege
USt-ID-Nr.: DE120585842            Gabriele  Riege
                                   Johannes  Riege
..............................................................
           YOU CARE FOR FREIGHT, WE CARE FOR YOU          



-------------- next part --------------
A non-text attachment was scrubbed...
Name: kuhlmeier.vcf
Type: text/x-vcard
Size: 306 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/users/attachments/20110323/13372005/attachment.vcf>
-------------- next part --------------
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: Donwtime_sched not working correctly
Next message: Hiding service checks from certain contact_groups ...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list