SElinux issue with 'check_yum'

[mkola-greenliff]

Hi,

When SElinux is set to 'enforcing' (SElinux enabled in general) check_yum.py doesn't work:

[root@jtest-1 ~]# /usr/lib64/nagios/plugins/check_nrpe -H 127.0.0.1 -c check_yum UNKNOWN: /usr/bin/yum cannot be found

Of course the problem is with SElinux (output from audit.log):

type=AVC msg=audit(1527601412.036:17644): avc: denied { getattr } for pid=21199 comm="python" path="/usr/bin/yum" dev="dm-0" ino=50857672 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1527601412.036:17644): arch=c000003e syscall=4 success=no exit=-13 a0=116b1e0 a1=7ffe59cf85e0 a2=7ffe59cf85e0 a3=3 items=0 ppid=21198 pid=21199 auid=4294967295 uid=985 gid=985 euid=985 suid=985 fsuid=985 egid=985 sgid=985 fsgid=985 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python2.7" subj=system_u:system_r:nrpe_t:s0 key=(null) type=PROCTITLE msg=audit(1527601412.036:17644): proctitle=707974686F6E002F6F70742F6E6167696F732D706C7567696E732F636865636B5F79756D2E7079

I am not a master when comes to SElinux, but I assume this issue can be easily fixed by some context changing. Can you please advice me how to do it? Copy-paste command would be more than appreciated.

Many thanks!

[micoots]

Hi. You need to make life (much) easier and install:

setools-libs setroubleshoot setroubleshoot-plugins setroubleshoot-server

Then use:

sealert -a /var/log/audit/audit.log

and it'll tell you what to add.

[mkola-greenliff]

Hi micoots,

Many thanks for your reply. After fixing all selinux issues, now I am getting:

UNKNOWN: Security plugin for yum is required. Try to 'yum install yum-security' (RHEL5) or 'yum install yum-plugin-security' (RHEL6) and then re-run this plugin. Alternatively, to just alert on any update which does not require the security plugin, try --all-updates

Of course yum-plugin-security is already installed, also '--all-updates' does not help. I don't see anything related in audit log, so I don't think it's SElinux problem. Any ideas?

Once again thanks!

[GrexAut]

I have the same problem, I'm running icinga2 inside a docker container and have nrpe daemon running on host. If I try do use check_yum from inside the container to docker host, it shows me

UNKNOWN: Security plugin for yum is required. Try to 'yum install yum-security' (RHEL5) or 'yum install yum-plugin-security' (RHEL6) and then re-run this plugin. Alternatively, to just alert on any update which does not require the security plugin, try --all-updates

If I set setenforce 0 on docker host, it works. But I won't set selinux to permissive. In audit log there is nothing blocking, I already did:

grep nrpe /var/log/audit/audit.log | audit2allow -M nrpe
semodule -i nrpe.pp

[valentim89]

Has anyone been able to solve this? I have exactly the same problem. I don't want to disable the SELinux.

[ClearFist]

Hi, the same problem here. But not in a docker container. Installed normal on the following OS:

CentOS Linux release 7.6.1810 (Core) 3.10.0-957.1.3.el7.x86_64 NRPE 3.2.1 check_yum.py 0.8.8

I have created a SELinux policy with the help of audit2allow. Now, no more errors found in audit.log, but still getting the message from check_yum.py:

UNKNOWN: Security plugin for yum is required. Try to 'yum install yum-security' (RHEL5) or 'yum install yum-plugin-security' (RHEL6) and then re-run this plugin. Alternatively, to just alert on any update which does not require the security plugin, try --all-updates

When i switch the SELinux mode for the NRPE context to permissive it works:

semanage permissive -a nrpe_t

So still seems to be a SELinux problem, but i don't know where to look next. Any help is appreciated.

Regards

[shiz0]

If you did as outlined above in https://github.com/HariSekhon/Nagios-Plugins/issues/195#issuecomment-393011621 and it still gives the error about "yum-security", check the context of the plugin as well. After putting it into the plugins folder, it needs a # restorecon -Rv /usr/lib64/nagios/plugins/ In order to set the correct context for it to work.