SELinux prevents Nagios plugins from running on RHEL6
Solution 1
This should be fixed by this errata: http://rhn.redhat.com/errata/RHBA-2012-0780.html
Solution 2
If the nrpe_disable_trans
boolean is not an option:
You can follow these instructions to create your own policy to allow NRPE. Basically, this would involve running SELinux in permissive mode long enough for your Nagios server to execute all of the scheduled NRPE checks. Then, you can pipe them from the audit.log file to audit2allow. This will build the required policies for your review and inclusion.
Thomas Bleher's nrpe.te file might also serve as a useful starting point or reference for building your own policy.
Solution 3
Well, first decide if you want SELinux. All EL based ones have it installed and enabled by default, but pretty much no other distro does. It gives you a bit of security, but more than a bit of headaches, so you have to weigh one way or the other whether you want it. If you don't, you can disable it in the /etc/selinux/config. The comments in the file will tell you exactly what to do.
If you want you can also try to lower it. If its currently set to enforcing you can switch it to permissive and see if it lets you run NRPE. Also you may be able to find some more walkthroughs on setting up NRPE using SELinux. Honestly I always find it to be too much of an annoyance to be worth the security. HTH
Edit: You can find a bunch of the selinux bools for nagios here: http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
Solution 4
I noticed that the AVC message contains path="/usr/bin/sudo"
. This means that NRPE is b0rking when trying to use sudo
to invoke a plugin.
The first (but by NO means last!) thing you'll have to do to allow this:
sudo setsebool -P nagios_run_sudo on
(-P
writes the change to the policy file on disk. So it will be persistent across reboots.)
Now your plugin will run as root. But it most likely can't do anything complicated (e.g. run programs that have a domain other than bin_t
), because your plugin still running as the nrpe_t
domain. This domain very deliberately has restrictive permissions; it can't even write to files in /tmp.
![alexus](https://i.stack.imgur.com/OoU9H.jpg?s=256&g=1)
alexus
Consulting | alexus.biz Dmitry Chorine | LinkedIn a1exus (a1exus) on Twitter Verify a Red Hat Certified Professional | redhat.com
Updated on September 18, 2022Comments
-
alexus almost 2 years
After installing Nagios NRPE & Nagios Plugins, I'm getting the following entry in my rsyslog:
May 13 14:01:30 wcmisdlin02 kernel: type=1400 audit(1305309690.482:2334): avc: denied { getattr } for pid=3835 comm="sh" path="/usr/bin/sudo" dev=dm-0 ino=7355981 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
It seems like my Nagios plugins that I'm trying to execute through NRPE are being blocked by SELinux. What should I do?
-
alexus about 13 yearsas serverfault suggest if you down vote at least have some decency to comment!
-
Stefan Lasiewski about 13 yearsYou were probably downvoted because Title is very vague (This type of problem happens on many distros, not just Scientific Linux release 6.0). Can you clean up the title and make it more descriptive?
-
-
Govindarajulu about 13 yearsPermissive will let you run (nearly) anything
-
alexus almost 12 yearsthere was an update from REDHAT that addressed that issue