Nagios nrpe and sudo

[Stephen Smalley]

On Sat, 2006-01-28 at 22:21 +0000, Martin Ebourne wrote:
> Hi,
> 
> I'm getting AVC denied with a nagios nrpe script which needs to sudo.
> The script works fine without selinux. I'm on FC4.
> 
> nrpe is the remote execution feature in nagios. It runs under xinetd and
> accepts incoming commands. It then runs scripts to fetch results. My
> script to get harddisk smart attributes looks like so:
> 
> ==========
> #!/bin/sh
> device="$1"
> attribute="$2"
> #id
> sudo /usr/sbin/smartctl -A $device | perl -ne 'm{^\s*\Q'"$attribute"'\E
> \s} && split && print "$_[9]"'
> ==========
> 
> During execution of the script id returns:
> 
> uid=173(nagios) gid=173(nagios) context=system_u:system_r:inetd_t
> 
> But I get this avc denial:
> 
> type=AVC msg=audit(1138482709.249:31780): avc:  denied  { entrypoint }
> for  pid=11537 comm="sudo" name="sesh" dev=dm-0 ino=442643
> scontext=root:system_r:amanda_t tcontext=system_u:object_r:shell_exec_t
> tclass=file

amanda_t looks odd there.
ls -Z /usr/sbin/smartctl

sudo selinux patch has been reverted in rawhide, possibly should be done
in FC4 as well.  bug 178429

> Seems reasonable. There don't seem to be any booleans for nrpe but there
> is inetd_child_disable_trans. With that set id gives:
> 
> uid=173(nagios) gid=173(nagios) context=root:system_r:inetd_t
> 
> But I get the same denial:
> 
> type=AVC msg=audit(1138485617.391:32037): avc:  denied  { entrypoint }
> for  pid=14228 comm="sudo" name="sesh" dev=dm-0 ino=442643
> scontext=root:system_r:amanda_t tcontext=system_u:object_r:shell_exec_t
> tclass=file
> 
> I've no idea what amanda_t has got to do with any of this. Am I missing
> something obvious? It seems to be running in the new context, but still
> be protected. The inetd_child_disable_trans is described in
> system-config-securitylevel as "Disable SELinux protection for inetd
> child daemons", which is what I seem to need.

-- 
Stephen Smalley
National Security Agency