On Sat, 2006-01-28 at 22:21 +0000, Martin Ebourne wrote:
> Hi,
>
> I'm getting AVC denied with a nagios nrpe script which needs to sudo.
> The script works fine without selinux. I'm on FC4.
>
> nrpe is the remote execution feature in nagios. It runs under xinetd and
> accepts incoming commands. It then runs scripts to fetch results. My
> script to get harddisk smart attributes looks like so:
>
> ==========
> #!/bin/sh
> device="$1"
> attribute="$2"
> #id
> sudo /usr/sbin/smartctl -A $device | perl -ne 'm{^\s*\Q'"$attribute"'\E
> \s} && split && print "$_[9]"'
> ==========
>
> During execution of the script id returns:
>
> uid=173(nagios) gid=173(nagios) context=system_u:system_r:inetd_t
>
> But I get this avc denial:
>
> type=AVC msg=audit(1138482709.249:31780): avc: denied { entrypoint }
> for pid=11537 comm="sudo" name="sesh" dev=dm-0 ino=442643
> scontext=root:system_r:amanda_t tcontext=system_u:object_r:shell_exec_t
> tclass=file
amanda_t looks odd there.
ls -Z /usr/sbin/smartctl
sudo selinux patch has been reverted in rawhide, possibly should be done
in FC4 as well. bug 178429
> Seems reasonable. There don't seem to be any booleans for nrpe but there
> is inetd_child_disable_trans. With that set id gives:
>
> uid=173(nagios) gid=173(nagios) context=root:system_r:inetd_t
>
> But I get the same denial:
>
> type=AVC msg=audit(1138485617.391:32037): avc: denied { entrypoint }
> for pid=14228 comm="sudo" name="sesh" dev=dm-0 ino=442643
> scontext=root:system_r:amanda_t tcontext=system_u:object_r:shell_exec_t
> tclass=file
>
> I've no idea what amanda_t has got to do with any of this. Am I missing
> something obvious? It seems to be running in the new context, but still
> be protected. The inetd_child_disable_trans is described in
> system-config-securitylevel as "Disable SELinux protection for inetd
> child daemons", which is what I seem to need.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
