SELinux is preventing /usr/bin/sudo from using the setgid capability

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 6

Issue

  • Attempting to run as user nrpe (through nrpe deamon) a script which calls '/usr/bin/sudo /opt/MegaRAID/MegaCli/MegaCli64'.
  • SElinux prevents it with below message:
Apr  9 09:18:34 host setroubleshoot: SELinux is preventing /usr/bin/sudo from using the setrlimit access on a process. For complete SELinux messages. run sealert -l 4128a7e9-006d-4724-b278-da850e8c0e5e
Apr  9 09:18:34 host setroubleshoot: SELinux is preventing /usr/bin/sudo from using the setgid capability. For complete SELinux messages. run sealert -l d72c22a2-1dfe-4e34-a7bd-5e36ae8ed483

Resolution

There are two possible solutions:

  1. Use a security context for your scripts and binary which allows this behaviour
  2. Compile custom modules

Root Cause

The reason for the denial is justified. From the AVC's you would be giving the nrpe user via sudo and the npre daemon this much access none of which are considered safe

$ grep sudo ausearch.out | audit2allow -l

#============= nagios_services_plugin_t ==============
allow nagios_services_plugin_t chkpwd_exec_t:file { read execute open execute_no_trans };
allow nagios_services_plugin_t devlog_t:sock_file write;
allow nagios_services_plugin_t initrc_var_run_t:file { read lock open };
allow nagios_services_plugin_t self:capability { sys_resource setgid audit_write };
allow nagios_services_plugin_t self:netlink_audit_socket { nlmsg_relay create };
allow nagios_services_plugin_t self:process { setsched setrlimit };
allow nagios_services_plugin_t self:unix_dgram_socket { create connect };
allow nagios_services_plugin_t sendmail_exec_t:file execute;
allow nagios_services_plugin_t sudo_db_t:dir { write create add_name };
allow nagios_services_plugin_t sudo_exec_t:file getattr;
allow nagios_services_plugin_t syslogd_t:unix_dgram_socket sendto;
allow nagios_services_plugin_t var_log_t:file { lock open };

From the list the only allow rule we have in the current upstream policy is

allow nagios_services_plugin_t var_log_t:file open;

Diagnostic Steps

The sealert messages are basically user friendly explanations for the SELinux denials so we don't get much context. To get a better understanding of the issue, please attach the raw audit logs (/var/log/audit/audit.log) or updated AVC's

# ausearch -i -m avc > ausearch.out

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.