SELinux prevents Nagios plugins from running on RHEL6

linux selinux nagios nrpe
11,258

Solution 1

This should be fixed by this errata: http://rhn.redhat.com/errata/RHBA-2012-0780.html

Solution 2

If the nrpe_disable_trans boolean is not an option:

  1. You can follow these instructions to create your own policy to allow NRPE. Basically, this would involve running SELinux in permissive mode long enough for your Nagios server to execute all of the scheduled NRPE checks. Then, you can pipe them from the audit.log file to audit2allow. This will build the required policies for your review and inclusion.

  2. Thomas Bleher's nrpe.te file might also serve as a useful starting point or reference for building your own policy.

Solution 3

Well, first decide if you want SELinux. All EL based ones have it installed and enabled by default, but pretty much no other distro does. It gives you a bit of security, but more than a bit of headaches, so you have to weigh one way or the other whether you want it. If you don't, you can disable it in the /etc/selinux/config. The comments in the file will tell you exactly what to do.

If you want you can also try to lower it. If its currently set to enforcing you can switch it to permissive and see if it lets you run NRPE. Also you may be able to find some more walkthroughs on setting up NRPE using SELinux. Honestly I always find it to be too much of an annoyance to be worth the security. HTH

Edit: You can find a bunch of the selinux bools for nagios here: http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

Solution 4

I noticed that the AVC message contains path="/usr/bin/sudo". This means that NRPE is b0rking when trying to use sudo to invoke a plugin.

The first (but by NO means last!) thing you'll have to do to allow this:

sudo setsebool -P nagios_run_sudo on

(-P writes the change to the policy file on disk. So it will be persistent across reboots.)

Now your plugin will run as root. But it most likely can't do anything complicated (e.g. run programs that have a domain other than bin_t), because your plugin still running as the nrpe_t domain. This domain very deliberately has restrictive permissions; it can't even write to files in /tmp.

Share:
11,258
alexus
Author by

alexus

Consulting | alexus.biz Dmitry Chorine | LinkedIn a1exus (a1exus) on Twitter Verify a Red Hat Certified Professional | redhat.com

Updated on September 18, 2022

Comments

  • alexus
    alexus almost 2 years

    After installing Nagios NRPE & Nagios Plugins, I'm getting the following entry in my rsyslog:

    May 13 14:01:30 wcmisdlin02 kernel: type=1400 audit(1305309690.482:2334): avc:  denied  { getattr } for  pid=3835 comm="sh" path="/usr/bin/sudo" dev=dm-0 ino=7355981 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file

    It seems like my Nagios plugins that I'm trying to execute through NRPE are being blocked by SELinux. What should I do?

    • alexus
      alexus about 13 years
      as serverfault suggest if you down vote at least have some decency to comment!
    • Stefan Lasiewski
      Stefan Lasiewski about 13 years
      You were probably downvoted because Title is very vague (This type of problem happens on many distros, not just Scientific Linux release 6.0). Can you clean up the title and make it more descriptive?
  • Govindarajulu
    Govindarajulu about 13 years
    Permissive will let you run (nearly) anything
  • alexus
    alexus almost 12 years
    there was an update from REDHAT that addressed that issue

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

chcon: can't apply partial context to unlabeled file while installing nagios with SELinux
Find command to check only for the last 10 minutes and not the whole folder
What Nagios plugin to use for monitoring MySQL?
Nagios NRPE: Command “my_command” not defined
Pros/cons of NRPE and SNMP with Nagios 3?
nagios nrpe check_procs wrong return value
NRPE: Unable to read output
Check if puppet agent is up to date
Nagios check_procs returns wrong value when called from NRPE
CHECK_NRPE: Error - Could not complete SSL handshake