sudo: PAM audit_log_acct_message() failed: Permission denied

Question

.. any time I'm run sudo through NRPE, I'm get a following message in my /var/log/secure, and I can't figure out how to resolve it.

sudo: PAM audit_log_acct_message() failed: Permission denied

please advise.

* UPDATE *

[root@XXXXX ~]# ausearch -m avc -ts today | tail 
type=SYSCALL msg=audit(1381429383.104:128936): arch=c000003e syscall=44 success=no exit=-13 a0=8 a1=7fffd40dfac0 a2=8 a3=0 items=0 ppid=24708 pid=24711 auid=4294967295 uid=0 gid=496 euid=0 suid=0 fsuid=0 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1381429383.104:128936): avc:  denied  { sendto } for  pid=24711 comm="sudo" scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:system_r:nrpe_t:s0 tclass=unix_dgram_socket
----
time->Thu Oct 10 14:23:03 2013
type=SYSCALL msg=audit(1381429383.125:128937): arch=c000003e syscall=44 success=no exit=-13 a0=8 a1=7fff6a74a1f0 a2=8 a3=0 items=0 ppid=24710 pid=24712 auid=4294967295 uid=0 gid=496 euid=0 suid=0 fsuid=0 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1381429383.125:128937): avc:  denied  { sendto } for  pid=24712 comm="sudo" scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:system_r:nrpe_t:s0 tclass=unix_dgram_socket
----
time->Thu Oct 10 14:23:02 2013
type=SYSCALL msg=audit(1381429382.133:128935): arch=c000003e syscall=44 success=no exit=-13 a0=8 a1=7fff549492e0 a2=8 a3=0 items=0 ppid=24699 pid=24700 auid=4294967295 uid=0 gid=496 euid=0 suid=0 fsuid=0 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1381429382.133:128935): avc:  denied  { sendto } for  pid=24700 comm="sudo" scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:system_r:nrpe_t:s0 tclass=unix_dgram_socket
[root@XXXXX ~]#

* UPDATE #2 *

[root@XXXXX ~]# ausearch -m avc -ts today | audit2allow


#============= nrpe_t ==============

#!!!! This avc is allowed in the current policy
allow nrpe_t self:capability sys_nice;

#!!!! This avc is allowed in the current policy
allow nrpe_t self:key write;

#!!!! This avc is allowed in the current policy
allow nrpe_t self:unix_dgram_socket sendto;

#!!!! This avc is allowed in the current policy
allow nrpe_t tmp_t:dir read;
[root@XXXX ~]#

* UPDATE 3 *

[root@XXXXX ~]# semanage permissive -a npre_t
libsepol.print_missing_requirements: permissive_npre_t's global requirements were not met: type/attribute npre_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
[root@XXXXX ~]#

If you think this is SELinux related, please post the relevant AVC denials. (`ausearch -m avc -ts today`) — dawud, Oct 10 '13 at 20:33
Of interest here: http://linux.die.net/man/3/audit_log_acct_message — dawud, Oct 10 '13 at 20:36
@dawud, I updated my main question w/ output of that command — alexus, Oct 10 '13 at 20:38

score 1 · Accepted Answer · answered Oct 10 '13 at 20:45

1

This wont work anyway. Looking at NRPE policy it doesn't permit you to use sudo. You'd need to change the policy to allow it.

So fixing the error in your case is unlikely to make a difference.

The quickest (and hacky) way to resolve this would be to make this type permissive. Note you'll probably end up with a whole load of SELlinux alerts for this type.

semanage permissive -a nrpe_t

Else it would be a matter of creating a lot of policy to support sudoing.

answered Oct 10 '13 at 20:45

Matthew Ife

23,357
3
55
72

I had a typo, its nrpe not npre. I've edited the answer. – Matthew Ife Oct 10 '13 at 20:51
@Mlfe: ahh, right) that went through fine this time, so I dont even get this message (yey) anymore, yet i'm unable to get output from nrpe( – alexus Oct 10 '13 at 20:56
Since the type now permits everything it is less likely to be NRPE directly. It could be something you are trying to query in NRPE that gets blocked in SELinux though. Try running `ausearch -ts today -m avc` again (theres likely to be a lot more noise now though). – Matthew Ife Oct 10 '13 at 21:02
ok, just ran it and piped it to audit2allow and got same output as update#2. – alexus Oct 10 '13 at 21:04
This is less likely to be SELinux related in this case. You can (temporarily) try `setenforce 0` and try your script to see if it works with selinux disabled copletely. – Matthew Ife Oct 10 '13 at 21:10
you're right, another sysadmin made a change and broke it, so i just fixed it) thanks a lot! – alexus Oct 10 '13 at 21:14

score 0 · Answer 2 · answered Nov 09 '17 at 10:02

0

If you are already using RHEL 7 then this bug has been fixed (https://bugzilla.redhat.com/show_bug.cgi?id=1201054)

You can enable/disable sudo for nrpe with the following commands.

setsebool nagios_run_sudo on 
setsebool nagios_run_sudo off

answered Nov 09 '17 at 10:02

Alexander Lackner

1
2

sudo: PAM audit_log_acct_message() failed: Permission denied

2 Answers2