Sunday, 5 February 2012

SELinux policy to run check_yum with sudo

A small update on the previous post. If you want to run check_yum with sudo you'll need to use the following policy file:


#-- Start nagios_plugin_checkum.te
module nagios_plugin_checkyum 1.0.4;

require {
        type usr_t;
        type boot_t;
        type admin_home_t;
        type rpm_var_lib_t;
        type tmp_t;
        type rpm_var_cache_t;
        type nrpe_t;
        type sudo_exec_t;
        type http_port_t;
        type rpm_exec_t;
        class capability { sys_nice audit_write };
        class tcp_socket name_connect;
        class file { rename execute setattr read lock create ioctl execute_no_trans write getattr unlink open };
        class netlink_audit_socket { write nlmsg_relay create read };
        class lnk_file read;
        class dir { search read write getattr remove_name open add_name };
}

#============= nrpe_t ==============
allow nrpe_t admin_home_t:dir search;
allow nrpe_t boot_t:dir { read getattr open };
allow nrpe_t http_port_t:tcp_socket name_connect;
allow nrpe_t rpm_exec_t:file { execute getattr read open ioctl execute_no_trans };
allow nrpe_t rpm_var_cache_t:dir { search getattr };
allow nrpe_t rpm_var_cache_t:dir { write read open add_name remove_name };
allow nrpe_t rpm_var_cache_t:file { rename create unlink setattr };
allow nrpe_t rpm_var_cache_t:file { write read getattr open lock };
allow nrpe_t rpm_var_lib_t:dir add_name;
allow nrpe_t rpm_var_lib_t:dir write;
allow nrpe_t rpm_var_lib_t:dir { getattr search };
allow nrpe_t rpm_var_lib_t:file create;
allow nrpe_t rpm_var_lib_t:file write;
allow nrpe_t rpm_var_lib_t:file { read lock getattr open };
allow nrpe_t self:capability { sys_nice audit_write };
allow nrpe_t self:netlink_audit_socket { write nlmsg_relay create read };
allow nrpe_t sudo_exec_t:file { read execute open execute_no_trans };
allow nrpe_t tmp_t:dir { read write add_name remove_name };
allow nrpe_t tmp_t:file { rename setattr read lock create write getattr unlink open };
allow nrpe_t usr_t:file { read getattr open };
allow nrpe_t usr_t:lnk_file read;
#-- End nagios_plugin_checkum.te

And you'll need to add something like the following to your /etc/sudoers file
nagios  ALL=(ALL) NOPASSWD: /usr/lib64/nagios/plugins/check_yum
 
And you need to comment out the following line in the sudores file, otherwise nrpe won't be able to parse the return
#Defaults    requiretty



References
  1. http://blog.gnucom.cc/2009/configuring-nagios-to-run-privileged-or-root-commands-with-nrpe/

1 comment:

  1. Appreciate the update to the policy to operate with sudo, however I'm still having an issue.

    After replacing the old policy, I'm getting the following audit messages:
    type=AVC msg=audit(1332877559.185:140889): avc: denied { execute } for pid=14638 comm="sudo" name="check_yum" dev=dm-0 ino=534851 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

    type=SYSCALL msg=audit(1332877559.185:140889): arch=40000003 syscall=11 success=no exit=-13 a0=23897e0 a1=bff2d628 a2=2389808 a3=bff2d628 items=0 ppid=14637 pid=14638 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4845 comm="sudo" exe="/usr/bin/sudo" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)

    Setting selinux to non-enforcing results in the command completing properly.

    ReplyDelete