Nagios nrpe and sudo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm getting AVC denied with a nagios nrpe script which needs to sudo.
The script works fine without selinux. I'm on FC4.

nrpe is the remote execution feature in nagios. It runs under xinetd and
accepts incoming commands. It then runs scripts to fetch results. My
script to get harddisk smart attributes looks like so:

==========
#!/bin/sh
device="$1"
attribute="$2"
#id
sudo /usr/sbin/smartctl -A $device | perl -ne 'm{^\s*\Q'"$attribute"'\E
\s} && split && print "$_[9]"'
==========

During execution of the script id returns:

uid=173(nagios) gid=173(nagios) context=system_u:system_r:inetd_t

But I get this avc denial:

type=AVC msg=audit(1138482709.249:31780): avc:  denied  { entrypoint }
for  pid=11537 comm="sudo" name="sesh" dev=dm-0 ino=442643
scontext=root:system_r:amanda_t tcontext=system_u:object_r:shell_exec_t
tclass=file

Seems reasonable. There don't seem to be any booleans for nrpe but there
is inetd_child_disable_trans. With that set id gives:

uid=173(nagios) gid=173(nagios) context=root:system_r:inetd_t

But I get the same denial:

type=AVC msg=audit(1138485617.391:32037): avc:  denied  { entrypoint }
for  pid=14228 comm="sudo" name="sesh" dev=dm-0 ino=442643
scontext=root:system_r:amanda_t tcontext=system_u:object_r:shell_exec_t
tclass=file

I've no idea what amanda_t has got to do with any of this. Am I missing
something obvious? It seems to be running in the new context, but still
be protected. The inetd_child_disable_trans is described in
system-config-securitylevel as "Disable SELinux protection for inetd
child daemons", which is what I seem to need.

I also notice that the current policy has some nrpe stuff in it, but
that doesn't ever seem to take effect. Is this incomplete, or broken?

Cheers,

Martin.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux