Using NRPE with sudo on RHEL6
Dennis Kuhlmeier
kuhlmeier at riege.com
Wed Mar 23 14:42:31 CET 2011
Hello,
one new thing about RHEL6 is a somewhat more strict sudo approach
combined with SELinux.
I have nrpe running as user nagios, using sudo logged on as user
nagios is not an issue, works fine.
But nrpe running as a daemon cannot sudo to root, which I need for
several check scripts. No problem in permissive mode.
sealert output:
<---snip--->
$ sealert -l 666fd015-e7a0-4e28-9d5f-ba95689bb549
Summary:
SELinux is preventing /bin/bash "getattr" access on /usr/bin/sudo.
Detailed Description:
SELinux denied access requested by sh. It is not expected that this
access is
required by sh and this access may signal an intrusion attempt. It
is also
possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please
file a bug
report.
Additional Information:
Source Context unconfined_u:system_r:nrpe_t:s0
Target Context system_u:object_r:sudo_exec_t:s0
Target Objects /usr/bin/sudo [ file ]
Source sh
Source Path /bin/bash
Port <Unknown>
Host hostname.domain.de
Source RPM Packages bash-4.1.2-3.el6
Target RPM Packages sudo-1.7.2p2-9.el6
Policy RPM selinux-policy-3.7.19-54.el6_0.3
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name hostname.domain.de
Platform Linux hostname.domain.de
2.6.32-71.18.2.el6.x86_64 #1 SMP Wed Mar 2
14:17:40 EST 2011 x86_64 x86_64
Alert Count 150
First Seen Fri Mar 18 18:17:03 2011
Last Seen Wed Mar 23 14:17:00 2011
Local ID 666fd015-e7a0-4e28-9d5f-ba95689bb549
Line Numbers
Raw Audit Messages
node=hostname.domain.de type=AVC msg=audit(1300886220.376:22605):
avc: denied { getattr } for pid=18437 comm="sh"
path="/usr/bin/sudo" dev=dm-1 ino=191489
scontext=unconfined_u:system_r:nrpe_t:s0
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
node=hostname.domain.de type=SYSCALL
msg=audit(1300886220.376:22605): arch=c000003e syscall=4 success=no
exit=-13 a0=14daeb0 a1=7fffb93d9c40 a2=7fffb93d9c40 a3=e items=0
ppid=18436 pid=18437 auid=500 uid=495 gid=493 euid=495 suid=495
fsuid=495 egid=493 sgid=493 fsgid=493 tty=(none) ses=26 comm="sh"
exe="/bin/bash" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)
<---snip--->
I have managed to build a local SELinux policy for this issue, but
then another issue comes up. Before I keep building local policies
and having to install them on all RHEL6 hosts, is there a simpler,
known approach to this?
Have been struggling with info found here:
http://www.0x61.com/forum/selinux-security-f278/sudo-selinux-t1304141.html
But I am still unsatisfied with the complexity of this issue which I
can't be the only one to suffer from - and I haven't solved it yet.
Disabling SELinux is not an option.
Thanks for any insight on this,
Dennis
--
..............................................................
Riege Software International GmbH Fon: +49 (2159) 9148 0
Mollsfeld 10 Fax: +49 (2159) 9148 11
40670 Meerbusch Web: www.riege.com
Germany E-Mail: kuhlmeier at riege.com
--- ---
Handelsregister: Managing Directors:
Amtsgericht Neuss HRB-NR 4207 Christian Riege
USt-ID-Nr.: DE120585842 Gabriele Riege
Johannes Riege
..............................................................
YOU CARE FOR FREIGHT, WE CARE FOR YOU
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kuhlmeier.vcf
Type: text/x-vcard
Size: 306 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/users/attachments/20110323/13372005/attachment.vcf>
-------------- next part --------------
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list