SELinux and RHEL6.2 preventing disk checks via NRPE

Trond Hasle Amundsen t.h.amundsen at usit.uio.no
Fri Dec 9 14:13:16 CET 2011


Dennis Kuhlmeier <kuhlmeier at riege.com> writes:

> Hello,
>
> after upgrading to RHEL6.2 I have problems checking some
> filesystems. Always the same three FS on all hosts, others work fine.
>
> /boot
> /home
> /var/log/audit
>
> $ ./check_nrpe -H backup -c check_fs_boot
> DISK CRITICAL - /boot is not accessible: Permission denied
>
> Now I disable SELinux and it works!
> $ ./check_nrpe -H backup -c check_fs_boot
> DISK OK - free space: /boot 36 MB (39% inode=99%);| /boot=55MB;96;;0;96
>
> Although not a single line is logged on the monitored host, neither
> in messages nor in audit.log
>
> I already had a local policy created for the nrpe daemon when RHEL6
> was introduced, as somehow many checks failed, although the user
> nrpe was running in was allowed to perform all checks, the nrpe
> daemon itself couldn't. I'll attach the policy, although at one
> point I gave up and just set the entire process to permissive mode.
> (note that I tried to extend rights on boot filesystem in this
> policy already, although it would seem to be unnecessary)
>
> Anybody experiencing something alike or any suggestions about how to
> handle nrpe and RHEL6(.2) in a better way than I am?

RHEL6 has the following labels for use with Nagios plugins:

  # grep nagios /etc/selinux/targeted/contexts/files/file_contexts | grep plugin_exec | cut -d: -f3 | sort -u
  nagios_admin_plugin_exec_t
  nagios_checkdisk_plugin_exec_t
  nagios_mail_plugin_exec_t
  nagios_services_plugin_exec_t
  nagios_system_plugin_exec_t
  nagios_unconfined_plugin_exec_t

Try setting the confined types first, e.g.:

  chcon -t nagios_checkdisk_plugin_exec_t /path/to/check_fs_boot

If none of them works properly, you have nagios_unconfined_plugin_exec_t
as a last resort.

When you find one that works, make it permanent with:

  semanage fcontext -a -t <type> '/path/to/check_fs_boot'

You may also have to set proper labels on the path leading up to the
actual plugin.

Regards,
-- 
Trond H. Amundsen <t.h.amundsen at usit.uio.no>
Center for Information Technology Services, University of Oslo


------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of 
discussion for anyone considering optimizing the pricing and packaging model 
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list