SELinux: pam_systemd(sudo:session): Failed to connect to system bus: Permission denied

Question

On one of CentOS 7 servers I cannot perform sudo from nrpe user (Nagios daemon remote monitoring).

Error message:

Dec 31 08:28:10 ip-172-31-36-176 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 31 08:28:10 ip-172-31-36-176 sudo:    nrpe : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/check_pm2 -A
Dec 31 08:28:10 ip-172-31-36-176 sudo: pam_systemd(sudo:session): Failed to connect to system bus: Permission denied

Of course, nrpe is in sudoers file:

Defaults:nrpe !requiretty
nrpe ALL = (root) NOPASSWD: /usr/local/bin/pm2_check_pm2

Contents of /usr/local/bin/pm2_check_pm2:

#!/bin/bash
sudo -u pm2 check_pm2 -A

(pm2 is unprivileged user here, sudo check_pm2 -A has same problem).

setenforce 0 solves problem. Same configuration works nice on other servers.

semanage export output:

boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -1 httpd_can_network_connect
boolean -m -1 httpd_can_network_memcache
boolean -m -1 httpd_can_sendmail
boolean -m -1 nagios_run_sudo
fcontext -a -f a -t cert_t '/etc/(letsencrypt|certbot)/(live|archive)(/.*)?'

ll -Z /var/run/dbus/system_bus_socket output:

srw-rw-rw-. root root system_u:object_r:system_dbusd_var_run_t:s0 /var/run/dbus/system_bus_socket

OS: CentOS 7.6 with latest updates. Reinstalling selinux* and dbus* did not help.

Please advise.

grep denied /var/log/audit/audit.log and find relevant messages. — user9517, Dec 31 '18 at 13:55
@Iain, audit2allow was generating empty relevant output for some reason. After running for 20 minutes I was able to read missing rules. — Alexander Gerasimov, Dec 31 '18 at 14:16

score 1 · Accepted Answer · answered Dec 31 '18 at 14:20

It was finally fixed with the following module code:

module nrpe 1.0;

require {
        type mongod_t;
        type nrpe_t;
        type proc_net_t;
        type initrc_var_run_t;
        type system_dbusd_t;
        type user_home_t;
        type user_home_dir_t;
        type admin_home_t;
        type systemd_logind_t;
        type unconfined_t;
        class capability { dac_override dac_read_search };
        class process execmem;
        class file { read open write lock };
        class unix_stream_socket connectto;
        class dir {open read search};
        class sock_file { getattr write };
        class dbus send_msg;
        class unix_stream_socket connectto;
}

#============= mongod_t ==============
allow mongod_t proc_net_t:file { open read };

#============= nrpe_t ==============
allow nrpe_t user_home_t:dir search;
allow nrpe_t user_home_dir_t:dir search;
allow nrpe_t system_dbusd_t:unix_stream_socket connectto;
allow nrpe_t initrc_var_run_t:file read;
allow nrpe_t self:capability { dac_override dac_read_search };
allow nrpe_t self:process execmem;
allow nrpe_t admin_home_t:file { read open };
allow nrpe_t admin_home_t:sock_file { getattr write };
allow nrpe_t initrc_var_run_t:file open;
allow nrpe_t system_dbusd_t:dbus send_msg;
allow nrpe_t initrc_var_run_t:file lock;
allow nrpe_t systemd_logind_t:dbus send_msg;
allow nrpe_t user_home_t:file { open read };
allow nrpe_t user_home_t:sock_file { getattr write };
allow systemd_logind_t nrpe_t:dbus send_msg;
allow nrpe_t unconfined_t:unix_stream_socket connectto;

In my setup "mongod_t proc_net_t:file" was required to proceed without nrpe check timeouts, not sure why.

SELinux: pam_systemd(sudo:session): Failed to connect to system bus: Permission denied

1 Answers1