5

After installing Nagios NRPE & Nagios Plugins, I'm getting the following entry in my rsyslog:

May 13 14:01:30 wcmisdlin02 kernel: type=1400 audit(1305309690.482:2334): avc:  denied  { getattr } for  pid=3835 comm="sh" path="/usr/bin/sudo" dev=dm-0 ino=7355981 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file

It seems like my Nagios plugins that I'm trying to execute through NRPE are being blocked by SELinux. What should I do?

Skyhawk
  • 14,149
  • 3
  • 52
  • 95
alexus
  • 12,342
  • 27
  • 115
  • 173
  • as serverfault suggest if you down vote at least have some decency to comment! – alexus May 13 '11 at 18:14
  • You were probably downvoted because Title is very vague (This type of problem happens on many distros, not just Scientific Linux release 6.0). Can you clean up the title and make it more descriptive? – Stefan Lasiewski May 20 '11 at 20:44

4 Answers4

3

Well, first decide if you want SELinux. All EL based ones have it installed and enabled by default, but pretty much no other distro does. It gives you a bit of security, but more than a bit of headaches, so you have to weigh one way or the other whether you want it. If you don't, you can disable it in the /etc/selinux/config. The comments in the file will tell you exactly what to do.

If you want you can also try to lower it. If its currently set to enforcing you can switch it to permissive and see if it lets you run NRPE. Also you may be able to find some more walkthroughs on setting up NRPE using SELinux. Honestly I always find it to be too much of an annoyance to be worth the security. HTH

Edit: You can find a bunch of the selinux bools for nagios here: http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

Matthew
  • 2,666
  • 8
  • 32
  • 50
  • Permissive will let you run (nearly) anything – wzzrd Jun 01 '11 at 17:17
  • 1
    @wzzrd: Setting SELinux to Permissive will cause AVC denials to be logged but not enforced (logged in /var/log/audit/audit.log if auditd is running - at least on RH derivs). So Permissive will indeed let you run anything - SELinux will not enforce policy in this mode, only log what would be denied if it were running in Enforcing mode. – Eli Heady Jul 16 '11 at 10:44
3

If the nrpe_disable_trans boolean is not an option:

  1. You can follow these instructions to create your own policy to allow NRPE. Basically, this would involve running SELinux in permissive mode long enough for your Nagios server to execute all of the scheduled NRPE checks. Then, you can pipe them from the audit.log file to audit2allow. This will build the required policies for your review and inclusion.

  2. Thomas Bleher's nrpe.te file might also serve as a useful starting point or reference for building your own policy.

Skyhawk
  • 14,149
  • 3
  • 52
  • 95
2

I noticed that the AVC message contains path="/usr/bin/sudo". This means that NRPE is b0rking when trying to use sudo to invoke a plugin.

The first (but by NO means last!) thing you'll have to do to allow this:

sudo setsebool -P nagios_run_sudo on

(-P writes the change to the policy file on disk. So it will be persistent across reboots.)

Now your plugin will run as root. But it most likely can't do anything complicated (e.g. run programs that have a domain other than bin_t), because your plugin still running as the nrpe_t domain. This domain very deliberately has restrictive permissions; it can't even write to files in /tmp.

Alastair Irvine
  • 1,172
  • 10
  • 22
1

This should be fixed by this errata: http://rhn.redhat.com/errata/RHBA-2012-0780.html

Ugob
  • 26
  • 1