Fedora 36, Nagios-plugins, and SELinux

After upgrading to Fedora 36, SELinux is denying every nagios plugin action/run attempt that Nagios (or Icinga2 for that matter, since I was running both side by side) is doing

I’ve done a relabel, just to get the preliminaries out of the way.

nagios-selinux is installed… I can see the module on the semanage module -l list

I’ve checked the context of the plugins, most are in “nagios_unconfined_plugin_exec_t” except for the appropriate differences.

An audit2alllow of the audit log brings up the following:

#============= nagios_unconfined_plugin_t ==============
allow nagios_unconfined_plugin_t NetworkManager_t:dir { getattr search };
allow nagios_unconfined_plugin_t NetworkManager_t:file { open read };
allow nagios_unconfined_plugin_t NetworkManager_t:lnk_file read;
allow nagios_unconfined_plugin_t abrt_dump_oops_t:dir { getattr search };
allow nagios_unconfined_plugin_t abrt_dump_oops_t:file { open read };
allow nagios_unconfined_plugin_t abrt_dump_oops_t:lnk_file read;
allow nagios_unconfined_plugin_t accountsd_t:dir { getattr search };
allow nagios_unconfined_plugin_t accountsd_t:file { open read };
allow nagios_unconfined_plugin_t accountsd_t:lnk_file read;
allow nagios_unconfined_plugin_t alsa_t:dir { getattr search };
allow nagios_unconfined_plugin_t alsa_t:file { open read };
allow nagios_unconfined_plugin_t alsa_t:lnk_file read;
allow nagios_unconfined_plugin_t antivirus_t:dir { getattr search };
allow nagios_unconfined_plugin_t antivirus_t:file { open read };
allow nagios_unconfined_plugin_t antivirus_t:lnk_file read;
allow nagios_unconfined_plugin_t auditd_t:dir { getattr search };
allow nagios_unconfined_plugin_t auditd_t:file { open read };
allow nagios_unconfined_plugin_t auditd_t:lnk_file read;
allow nagios_unconfined_plugin_t avahi_t:dir { getattr search };
allow nagios_unconfined_plugin_t avahi_t:file { open read };
allow nagios_unconfined_plugin_t avahi_t:lnk_file read;
allow nagios_unconfined_plugin_t bin_t:file { execute execute_no_trans };
allow nagios_unconfined_plugin_t cert_t:file { getattr open read };
allow nagios_unconfined_plugin_t chronyd_t:dir { getattr search };
allow nagios_unconfined_plugin_t chronyd_t:file { open read };
allow nagios_unconfined_plugin_t chronyd_t:lnk_file read;
allow nagios_unconfined_plugin_t colord_t:dir { getattr search };
allow nagios_unconfined_plugin_t colord_t:file { open read };
allow nagios_unconfined_plugin_t colord_t:lnk_file read;
allow nagios_unconfined_plugin_t crond_t:dir { getattr search };
allow nagios_unconfined_plugin_t crond_t:file { open read };
allow nagios_unconfined_plugin_t crond_t:lnk_file read;
allow nagios_unconfined_plugin_t cupsd_t:dir { getattr search };
allow nagios_unconfined_plugin_t cupsd_t:file { open read };
allow nagios_unconfined_plugin_t cupsd_t:lnk_file read;
allow nagios_unconfined_plugin_t devicekit_disk_t:dir { getattr search };
allow nagios_unconfined_plugin_t devicekit_disk_t:file { open read };
allow nagios_unconfined_plugin_t devicekit_disk_t:lnk_file read;
allow nagios_unconfined_plugin_t devicekit_power_t:dir { getattr search };
allow nagios_unconfined_plugin_t devicekit_power_t:file { open read };
allow nagios_unconfined_plugin_t devicekit_power_t:lnk_file read;
allow nagios_unconfined_plugin_t dkim_milter_t:dir { getattr search };
allow nagios_unconfined_plugin_t dkim_milter_t:file { open read };
allow nagios_unconfined_plugin_t dkim_milter_t:lnk_file read;
allow nagios_unconfined_plugin_t dovecot_auth_t:dir { getattr search };
allow nagios_unconfined_plugin_t dovecot_auth_t:file { open read };
allow nagios_unconfined_plugin_t dovecot_auth_t:lnk_file read;
allow nagios_unconfined_plugin_t dovecot_t:dir { getattr search };
allow nagios_unconfined_plugin_t dovecot_t:file { open read };
allow nagios_unconfined_plugin_t dovecot_t:lnk_file read;
allow nagios_unconfined_plugin_t fail2ban_t:dir { getattr search };
allow nagios_unconfined_plugin_t fail2ban_t:file { open read };
allow nagios_unconfined_plugin_t fail2ban_t:lnk_file read;
allow nagios_unconfined_plugin_t firewalld_t:dir { getattr search };
allow nagios_unconfined_plugin_t firewalld_t:file { open read };
allow nagios_unconfined_plugin_t firewalld_t:lnk_file read;
allow nagios_unconfined_plugin_t fsdaemon_t:dir { getattr search };
allow nagios_unconfined_plugin_t fsdaemon_t:file { open read };
allow nagios_unconfined_plugin_t fsdaemon_t:lnk_file read;
allow nagios_unconfined_plugin_t gssproxy_t:dir { getattr search };
allow nagios_unconfined_plugin_t gssproxy_t:file { open read };
allow nagios_unconfined_plugin_t gssproxy_t:lnk_file read;
allow nagios_unconfined_plugin_t http_cache_port_t:tcp_socket name_connect;
allow nagios_unconfined_plugin_t http_port_t:tcp_socket name_connect;
allow nagios_unconfined_plugin_t httpd_t:dir { getattr search };
allow nagios_unconfined_plugin_t httpd_t:file { open read };
allow nagios_unconfined_plugin_t httpd_t:lnk_file read;
allow nagios_unconfined_plugin_t icinga2_t:dir { getattr search };
allow nagios_unconfined_plugin_t icinga2_t:file { open read };
allow nagios_unconfined_plugin_t icinga2_t:lnk_file read;
allow nagios_unconfined_plugin_t init_t:dir { getattr search };
allow nagios_unconfined_plugin_t init_t:file { open read };
allow nagios_unconfined_plugin_t init_t:lnk_file read;
allow nagios_unconfined_plugin_t initrc_var_run_t:file { lock open read };
allow nagios_unconfined_plugin_t irqbalance_t:dir { getattr search };
allow nagios_unconfined_plugin_t irqbalance_t:file { open read };
allow nagios_unconfined_plugin_t irqbalance_t:lnk_file read;
allow nagios_unconfined_plugin_t kernel_t:dir { getattr search };
allow nagios_unconfined_plugin_t kernel_t:file { open read };
allow nagios_unconfined_plugin_t kernel_t:lnk_file read;
allow nagios_unconfined_plugin_t mcelog_t:dir { getattr search };
allow nagios_unconfined_plugin_t mcelog_t:file { open read };
allow nagios_unconfined_plugin_t mcelog_t:lnk_file read;
allow nagios_unconfined_plugin_t modemmanager_t:dir { getattr search };
allow nagios_unconfined_plugin_t modemmanager_t:file { open read };
allow nagios_unconfined_plugin_t modemmanager_t:lnk_file read;
allow nagios_unconfined_plugin_t mysqld_t:dir { getattr search };
allow nagios_unconfined_plugin_t mysqld_t:file { open read };
allow nagios_unconfined_plugin_t mysqld_t:lnk_file read;
allow nagios_unconfined_plugin_t nagios_exec_t:file getattr;
allow nagios_unconfined_plugin_t nagios_t:dir { getattr search };
allow nagios_unconfined_plugin_t nagios_t:file { open read };
allow nagios_unconfined_plugin_t nagios_t:lnk_file read;
allow nagios_unconfined_plugin_t named_t:dir { getattr search };
allow nagios_unconfined_plugin_t named_t:file { open read };
allow nagios_unconfined_plugin_t named_t:lnk_file read;
allow nagios_unconfined_plugin_t node_t:tcp_socket node_bind;
allow nagios_unconfined_plugin_t node_t:udp_socket node_bind;
allow nagios_unconfined_plugin_t passwd_file_t:file { getattr open read };
allow nagios_unconfined_plugin_t pcscd_t:dir { getattr search };
allow nagios_unconfined_plugin_t pcscd_t:file { open read };
allow nagios_unconfined_plugin_t pcscd_t:lnk_file read;
allow nagios_unconfined_plugin_t ping_exec_t:file { execute execute_no_trans getattr open read };
allow nagios_unconfined_plugin_t policykit_t:dir { getattr search };
allow nagios_unconfined_plugin_t policykit_t:file { open read };
allow nagios_unconfined_plugin_t policykit_t:lnk_file read;
allow nagios_unconfined_plugin_t pop_port_t:tcp_socket name_connect;
allow nagios_unconfined_plugin_t postfix_cleanup_t:dir { getattr search };
allow nagios_unconfined_plugin_t postfix_cleanup_t:file { open read };
allow nagios_unconfined_plugin_t postfix_cleanup_t:lnk_file read;
allow nagios_unconfined_plugin_t postfix_local_t:dir { getattr search };
allow nagios_unconfined_plugin_t postfix_local_t:file { open read };
allow nagios_unconfined_plugin_t postfix_local_t:lnk_file read;
allow nagios_unconfined_plugin_t postfix_master_t:dir { getattr search };
allow nagios_unconfined_plugin_t postfix_master_t:file { open read };
allow nagios_unconfined_plugin_t postfix_master_t:lnk_file read;
allow nagios_unconfined_plugin_t postfix_pickup_t:dir { getattr search };
allow nagios_unconfined_plugin_t postfix_pickup_t:file { open read };
allow nagios_unconfined_plugin_t postfix_pickup_t:lnk_file read;
allow nagios_unconfined_plugin_t postfix_qmgr_t:dir { getattr search };
allow nagios_unconfined_plugin_t postfix_qmgr_t:file { open read };
allow nagios_unconfined_plugin_t postfix_qmgr_t:lnk_file read;
allow nagios_unconfined_plugin_t postfix_smtp_t:dir { getattr search };
allow nagios_unconfined_plugin_t postfix_smtp_t:file { open read };
allow nagios_unconfined_plugin_t postfix_smtp_t:lnk_file read;
allow nagios_unconfined_plugin_t postfix_smtpd_t:dir { getattr search };
allow nagios_unconfined_plugin_t postfix_smtpd_t:file { open read };
allow nagios_unconfined_plugin_t postfix_smtpd_t:lnk_file read;
allow nagios_unconfined_plugin_t redis_t:dir { getattr search };
allow nagios_unconfined_plugin_t redis_t:file { open read };
allow nagios_unconfined_plugin_t redis_t:lnk_file read;
allow nagios_unconfined_plugin_t rpm_t:dir { getattr search };
allow nagios_unconfined_plugin_t rpm_t:file { open read };
allow nagios_unconfined_plugin_t rpm_t:lnk_file read;
allow nagios_unconfined_plugin_t rtkit_daemon_t:dir { getattr search };
allow nagios_unconfined_plugin_t rtkit_daemon_t:file { open read };
allow nagios_unconfined_plugin_t rtkit_daemon_t:lnk_file read;
allow nagios_unconfined_plugin_t self:icmp_socket { create getopt setopt };
allow nagios_unconfined_plugin_t self:process setcap;
allow nagios_unconfined_plugin_t self:tcp_socket { bind connect create setopt };
allow nagios_unconfined_plugin_t self:udp_socket { bind connect create getattr getopt };
allow nagios_unconfined_plugin_t setroubleshootd_t:dir { getattr search };
allow nagios_unconfined_plugin_t setroubleshootd_t:file { open read };
allow nagios_unconfined_plugin_t setroubleshootd_t:lnk_file read;
allow nagios_unconfined_plugin_t smtp_port_t:tcp_socket name_connect;
allow nagios_unconfined_plugin_t snmpd_var_lib_t:dir read;
allow nagios_unconfined_plugin_t ssh_port_t:tcp_socket name_connect;
allow nagios_unconfined_plugin_t sshd_t:dir { getattr search };
allow nagios_unconfined_plugin_t sshd_t:file { open read };
allow nagios_unconfined_plugin_t sshd_t:lnk_file read;
allow nagios_unconfined_plugin_t syslogd_t:dir { getattr search };
allow nagios_unconfined_plugin_t syslogd_t:file { open read };
allow nagios_unconfined_plugin_t syslogd_t:lnk_file read;
allow nagios_unconfined_plugin_t system_dbusd_t:dir { getattr search };
allow nagios_unconfined_plugin_t system_dbusd_t:file { open read };
allow nagios_unconfined_plugin_t system_dbusd_t:lnk_file read;
allow nagios_unconfined_plugin_t systemd_logind_t:dir { getattr search };
allow nagios_unconfined_plugin_t systemd_logind_t:file { open read };
allow nagios_unconfined_plugin_t systemd_logind_t:lnk_file read;
allow nagios_unconfined_plugin_t systemd_machined_t:dir { getattr search };
allow nagios_unconfined_plugin_t systemd_machined_t:file { open read };
allow nagios_unconfined_plugin_t systemd_machined_t:lnk_file read;
allow nagios_unconfined_plugin_t systemd_resolved_t:dir { getattr search };
allow nagios_unconfined_plugin_t systemd_resolved_t:file { open read };
allow nagios_unconfined_plugin_t systemd_resolved_t:lnk_file read;
allow nagios_unconfined_plugin_t systemd_userdbd_t:dir { getattr search };
allow nagios_unconfined_plugin_t systemd_userdbd_t:file { open read };
allow nagios_unconfined_plugin_t systemd_userdbd_t:lnk_file read;
allow nagios_unconfined_plugin_t udev_t:dir { getattr search };
allow nagios_unconfined_plugin_t udev_t:file { open read };
allow nagios_unconfined_plugin_t udev_t:lnk_file read;
allow nagios_unconfined_plugin_t unconfined_dbusd_t:dir { getattr search };
allow nagios_unconfined_plugin_t unconfined_dbusd_t:file { open read };
allow nagios_unconfined_plugin_t unconfined_dbusd_t:lnk_file read;
allow nagios_unconfined_plugin_t unconfined_service_t:dir { getattr search };
allow nagios_unconfined_plugin_t unconfined_service_t:file { open read };
allow nagios_unconfined_plugin_t unconfined_service_t:lnk_file read;
allow nagios_unconfined_plugin_t unconfined_t:dir { getattr search };
allow nagios_unconfined_plugin_t unconfined_t:file { open read };
allow nagios_unconfined_plugin_t unconfined_t:lnk_file read;
allow nagios_unconfined_plugin_t xdm_t:dir { getattr search };
allow nagios_unconfined_plugin_t xdm_t:file { open read };
allow nagios_unconfined_plugin_t xdm_t:lnk_file read;
allow nagios_unconfined_plugin_t xserver_t:dir { getattr search };
allow nagios_unconfined_plugin_t xserver_t:file { open read };
allow nagios_unconfined_plugin_t xserver_t:lnk_file read;

It feels like that context is broken/unworking somehow… Any suggestions?

Can you have a look at, 2083788 – nagios plugings mislabeled

Welcome to ask :fedora: Welcome to Ask Fedora! Please read me first! when you have a minute.

Thanks

Yes, I think this is the same issue. So it’s either an issue of mislabeling, or that many plugins were all put in the “unconfined” context as a conscious decision but that context actually has no permissions in the policy currently.

By manually using chcon on various plugins to the “services” or “system” plugin context you can alleviate the denials, but that’s not to say that’s the correct contexts for each of these plugins.

1 Like