I'm trying to debug a Nagios plugin that isn't playing nicely with SELinux. It executes a system binary to get statistics about DHCP pool usage, and obviously SELinux stamps on that access and the plugin only returns partial data.
In Permissive mode the plugin works, it Enforcing it doesn't. But in neither mode are there any debug messages in audit.log
[jg4461@dhcp1 ~]$ sudo setenforce 0 [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_dhcpd_pools OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90, rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90, rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90, rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90, rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90, rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90, rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
[jg4461@dhcp1 ~]$ sudo setenforce 1 [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_dhcpd_pools OK - all pools less than 80% full |
Regardless of the SELinux mode, the same 3 log lines are printed in audit.log:
type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0 auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/" cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success' type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0 auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0 auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Anyone have any idea how I can see the deny messages and make a policy from them?
Cheers, Jonathan
Run semodule -DB to build a policy database without the dontaudit rules. Run semodule -B to build a policy database (with the dontaudit rules included)
On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote:
I'm trying to debug a Nagios plugin that isn't playing nicely with SELinux. It executes a system binary to get statistics about DHCP pool usage, and obviously SELinux stamps on that access and the plugin only returns partial data.
In Permissive mode the plugin works, it Enforcing it doesn't. But in neither mode are there any debug messages in audit.log
[jg4461@dhcp1 ~]$ sudo setenforce 0 [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_dhcpd_pools OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90, rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90, rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90, rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90, rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90, rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90, rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
[jg4461@dhcp1 ~]$ sudo setenforce 1 [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_dhcpd_pools OK - all pools less than 80% full |
Regardless of the SELinux mode, the same 3 log lines are printed in audit.log:
type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0 auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/" cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success' type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0 auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0 auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Anyone have any idea how I can see the deny messages and make a policy from them?
Cheers, Jonathan -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 05/15/2012 12:09 PM, Dominick Grift wrote:
Run semodule -DB to build a policy database without the dontaudit rules. Run semodule -B to build a policy database (with the dontaudit rules included)
On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote:
I'm trying to debug a Nagios plugin that isn't playing nicely with SELinux. It executes a system binary to get statistics about DHCP pool usage, and obviously SELinux stamps on that access and the plugin only returns partial data.
In Permissive mode the plugin works, it Enforcing it doesn't. But in neither mode are there any debug messages in audit.log
[jg4461@dhcp1 ~]$ sudo setenforce 0 [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_dhcpd_pools OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90, rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90, rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90, rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90, rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90, rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90, rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
[jg4461@dhcp1 ~]$ sudo setenforce 1 [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_dhcpd_pools OK - all pools less than 80% full |
Regardless of the SELinux mode, the same 3 log lines are printed in audit.log:
type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0 auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/" cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success' type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0 auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0 auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Anyone have any idea how I can see the deny messages and make a policy from them?
Cheers, Jonathan -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
So execute
# semodule -DB re-test it # ausearch -m avc -ts recent # semodule -B
Also we will need to add labeling for the check_dhcpd_pools plugin.
selinux@lists.fedoraproject.org