Nagios nrpe and sudo

Martin Ebourne lists at ebourne.me.uk
Sat Jan 28 22:21:00 UTC 2006


Hi,

I'm getting AVC denied with a nagios nrpe script which needs to sudo.
The script works fine without selinux. I'm on FC4.

nrpe is the remote execution feature in nagios. It runs under xinetd and
accepts incoming commands. It then runs scripts to fetch results. My
script to get harddisk smart attributes looks like so:

==========
#!/bin/sh
device="$1"
attribute="$2"
#id
sudo /usr/sbin/smartctl -A $device | perl -ne 'm{^\s*\Q'"$attribute"'\E
\s} && split && print "$_[9]"'
==========

During execution of the script id returns:

uid=173(nagios) gid=173(nagios) context=system_u:system_r:inetd_t

But I get this avc denial:

type=AVC msg=audit(1138482709.249:31780): avc:  denied  { entrypoint }
for  pid=11537 comm="sudo" name="sesh" dev=dm-0 ino=442643
scontext=root:system_r:amanda_t tcontext=system_u:object_r:shell_exec_t
tclass=file

Seems reasonable. There don't seem to be any booleans for nrpe but there
is inetd_child_disable_trans. With that set id gives:

uid=173(nagios) gid=173(nagios) context=root:system_r:inetd_t

But I get the same denial:

type=AVC msg=audit(1138485617.391:32037): avc:  denied  { entrypoint }
for  pid=14228 comm="sudo" name="sesh" dev=dm-0 ino=442643
scontext=root:system_r:amanda_t tcontext=system_u:object_r:shell_exec_t
tclass=file

I've no idea what amanda_t has got to do with any of this. Am I missing
something obvious? It seems to be running in the new context, but still
be protected. The inetd_child_disable_trans is described in
system-config-securitylevel as "Disable SELinux protection for inetd
child daemons", which is what I seem to need.

I also notice that the current policy has some nrpe stuff in it, but
that doesn't ever seem to take effect. Is this incomplete, or broken?

Cheers,

Martin.




More information about the fedora-selinux-list mailing list