Bug 1568338
| Summary: | False alerts wrt chrony since RHEL 7.5 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Troels Arvin <troels> |
| Component: | check-mk | Assignee: | Andrea Veri <andrea.veri> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel7 | CC: | andreas.luik, andrea.veri, troels |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | check-mk-1.4.0p31-1.fc28 check-mk-1.4.0p31-1.fc27 check-mk-1.4.0p31-1.fc26 check-mk-1.4.0p31-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-05-24 13:55:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Forgot to add this: $ ls -laZR /var/lib/check_mk_agent/cache /var/lib/check_mk_agent/cache: drwxr-xr-x. root root unconfined_u:object_r:var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. -rw-r--r--. root root system_u:object_r:var_lib_t:s0 chrony.cache There's now a fix: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=4e56d264c8d85278c37a3bbb6bc334475141b13e I propose that the fix be backported to the Check_MK package in EPEL. check-mk-1.4.0p31-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-06ca80b0c7 check-mk-1.4.0p31-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-8f18c45fef check-mk-1.4.0p31-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-854aeb39fd check-mk-1.4.0p31-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-547c7a0901 check-mk-1.4.0p31-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-854aeb39fd check-mk-1.4.0p31-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-8f18c45fef check-mk-1.4.0p31-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-06ca80b0c7 check-mk-1.4.0p31-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-547c7a0901 check-mk-1.4.0p31-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. check-mk-1.4.0p31-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. check-mk-1.4.0p31-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. check-mk-1.4.0p31-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: After updating a server from RHEL 7.4 to 7.5, we have started getting false alerts about the updated server with regards to chrony: "CRIT - No status information, chronyd probably not running" Meanwhile on the server being watched, we are seeing the following in /var/log/audit/audit.log: type=AVC msg=audit(1523955824.415:4670): avc: denied { write } for pid=22588 comm="chronyc" path="/var/lib/check_mk_agent/cache/chrony.cache.new" dev="dm-0" ino=205697392 scontext=system_u:system_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1523955824.415:4670): arch=c000003e syscall=59 success=yes exit=0 a0=7ffce4acc5c8 a1=7ffce4acc878 a2=7ffce4acc898 a3=7f6a0c05e170 items=0 ppid=22587 pid=22588 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chronyc" exe="/usr/bin/chronyc" subj=system_u:system_r:chronyc_t:s0-s0:c0.c1023 key=(null) And in /var/log/messages: setroubleshoot: SELinux is preventing /usr/bin/chronyc from write access on the file /var/lib/check_mk_agent/cache/chrony.cache.new. For complete SELinux messages run: sealert -l 65a1fbb7-c58b-461b-b0e3-74b18e53a659 Section of resulting port 6556 output: ========================================== <<<md>>> Personalities : unused devices: <none> <<<vbox_guest>>> <<<chrony:cached(1523955824,30)>>> <<<postfix_mailq>>> QUEUE_deferred 0 0 QUEUE_active 0 0 <<<postfix_mailq_status:sep(58)>>> postfix:the Postfix mail system is running:PID:1264 <<<job>>> <<<local>>> ========================================== It seems the latest RHEL is a bit stricter with regards to chrony and SELinux and that this exposes an issue with the way the Check_MK agent handles cache files, at least with regards to chrony? If I'm right about this, then something needs to be changed in the Check_MK agent code. (But it could also be a result of a regression in RHEL 7.5's SELinux.) The issue has also been reported to Check_MK Support.