Hello, one new thing about RHEL6 is a somewhat more strict sudo approach combined with SELinux.
I have nrpe running as user nagios, using sudo logged on as user nagios is not an issue, works fine. But nrpe running as a daemon cannot sudo to root, which I need for several check scripts. No problem in permissive mode. sealert output: <---snip---> $ sealert -l 666fd015-e7a0-4e28-9d5f-ba95689bb549 Summary: SELinux is preventing /bin/bash "getattr" access on /usr/bin/sudo. Detailed Description: SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:nrpe_t:s0 Target Context system_u:object_r:sudo_exec_t:s0 Target Objects /usr/bin/sudo [ file ] Source sh Source Path /bin/bash Port <Unknown> Host hostname.domain.de Source RPM Packages bash-4.1.2-3.el6 Target RPM Packages sudo-1.7.2p2-9.el6 Policy RPM selinux-policy-3.7.19-54.el6_0.3 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name hostname.domain.de Platform Linux hostname.domain.de 2.6.32-71.18.2.el6.x86_64 #1 SMP Wed Mar 2 14:17:40 EST 2011 x86_64 x86_64 Alert Count 150 First Seen Fri Mar 18 18:17:03 2011 Last Seen Wed Mar 23 14:17:00 2011 Local ID 666fd015-e7a0-4e28-9d5f-ba95689bb549 Line Numbers Raw Audit Messages node=hostname.domain.de type=AVC msg=audit(1300886220.376:22605): avc: denied { getattr } for pid=18437 comm="sh" path="/usr/bin/sudo" dev=dm-1 ino=191489 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file node=hostname.domain.de type=SYSCALL msg=audit(1300886220.376:22605): arch=c000003e syscall=4 success=no exit=-13 a0=14daeb0 a1=7fffb93d9c40 a2=7fffb93d9c40 a3=e items=0 ppid=18436 pid=18437 auid=500 uid=495 gid=493 euid=495 suid=495 fsuid=495 egid=493 sgid=493 fsgid=493 tty=(none) ses=26 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:nrpe_t:s0 key=(null) <---snip---> I have managed to build a local SELinux policy for this issue, but then another issue comes up. Before I keep building local policies and having to install them on all RHEL6 hosts, is there a simpler, known approach to this? Have been struggling with info found here: http://www.0x61.com/forum/selinux-security-f278/sudo-selinux-t1304141.html But I am still unsatisfied with the complexity of this issue which I can't be the only one to suffer from - and I haven't solved it yet. Disabling SELinux is not an option. Thanks for any insight on this, Dennis -- .............................................................. Riege Software International GmbH Fon: +49 (2159) 9148 0 Mollsfeld 10 Fax: +49 (2159) 9148 11 40670 Meerbusch Web: www.riege.com Germany E-Mail: kuhlme...@riege.com --- --- Handelsregister: Managing Directors: Amtsgericht Neuss HRB-NR 4207 Christian Riege USt-ID-Nr.: DE120585842 Gabriele Riege Johannes Riege .............................................................. YOU CARE FOR FREIGHT, WE CARE FOR YOU
<<attachment: kuhlmeier.vcf>>
------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null