SELinux blocks nrpe access to MariaDB

Question

I have a few virtual machines in the same LAN monitored by Icinga2 via NRPE.

[Machine A]

• CentOS 6

• Icinga2.

[Machine B]

• CentOS 6

• MariaDB v10.1.12 properly running

Datadir and socket settings in my.cnf:

datadir=/database/mariadb
socket=/database/mariadb/mysql.sock

There is also the following symlink:

/var/lib/mysql -> /database/mariadb

The owner:group of the all above is mysql:mysql.

• SELinux enabled

• /usr/lib64/nagios/plugins/check_mysql v2.0.3

with the following security context:

-rwxr-xr-x. root root system_u:object_r:nagios_services_plugin_exec_t:s0 /usr/lib64/nagios/plugins/check_mysql

• nrpe.cfg contains the following line:

command[check_mysql]=/usr/lib64/nagios/plugins/check_mysql -H localhost -u xxx -p xxx -P 3306

Now the problem:

Icinga (from machine A) reports:

"Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)"

If I manually run the folowing line on machine B :

sudo -u nrpe /usr/lib64/nagios/plugins/check_mysql -H localhost -u xxx -p xxx -P 3306

The result is ok (exit code 0):

Uptime: 2085  Threads: 1  Questions: 68204  Slow queries: 0  Opens: 37  Flush...

Only when I disable SELinux on machine B (echo 0 > /selinux/enforce) Icinga is able to connect to mysql and show the status OK. But I don't want to disable SELinux. I try to find the proper settings to have both SELinux enabled and Icinga properly connecting to mysql.

[edit]

Everytime when Icinga checks mysql on machine B I see the following two new lines in the audit.log on machine B:

type=AVC msg=audit(1460038526.265:69): avc:  denied  { read } for  pid=4858 comm="check_mysql" name="mysql" dev=dm-0 ino=130900 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1460038526.265:69): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffe4d270f0 a2=6e a3=7fffe4d263e0 items=0 ppid=4857 pid=4858 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="check_mysql" exe="/usr/lib64/nagios/plugins/check_mysql" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)

Answer 1

Try this:

setsebool -P nagios_run_sudo 1

On host with NRPE. This option is disabled by default in SELinux policy.

Answer 2

I managed to solve it finally. I share the solution below as it might be useful to others too.

I created a working file named audit.log containing just the lines below:

type=AVC msg=audit(1460038526.265:69): avc:  denied  { read } for  pid=4858 comm="check_mysql" name="mysql" dev=dm-0 ino=130900 scontext=system_u:system_r:nagios_services_plugin_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1460038526.265:69): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffe4d270f0 a2=6e a3=7fffe4d263e0 items=0 ppid=4857 pid=4858 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="check_mysql" exe="/usr/lib64/nagios/plugins/check_mysql" subj=system_u:system_r:nagios_services_plugin_t:s0 key=(null)

I ran:

sealert -a audit.log > sealert.log

The resulted sealert.log contained the explanation of the issue:

SELinux is preventing /usr/lib64/nagios/plugins/check_mysql from read access on the lnk_file mysql.

and also suggestions for fixing it. As suggested there, I ran the following:

grep check_mysql audit.log | audit2allow -M mypol

This outputted two files: mypol.pp and mypol.te

Finally I ran the following, which completely solved the issue:

semodule -i mypol.pp

Answer 3

Your problem is that the socket usually resides inside /var/lib/mysql with the data files.

Since you are using a different database dir, SELinux is blocking the request, regardless of the symlink.

You can try to access MySQL via the TCP connection (use 127.0.0.1 and not localhost)

But this might still cause problems with SELinux with the MySQL daemon itself.