Hide Forgot
Description of problem: After updating a server from RHEL 7.4 to 7.5, we have started getting false alerts about the updated server with regards to chrony: "CRIT - No status information, chronyd probably not running" Meanwhile on the server being watched, we are seeing the following in /var/log/audit/audit.log: type=AVC msg=audit(1523955824.415:4670): avc: denied { write } for pid=22588 comm="chronyc" path="/var/lib/check_mk_agent/cache/chrony.cache.new" dev="dm-0" ino=205697392 scontext=system_u:system_r:chronyc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1523955824.415:4670): arch=c000003e syscall=59 success=yes exit=0 a0=7ffce4acc5c8 a1=7ffce4acc878 a2=7ffce4acc898 a3=7f6a0c05e170 items=0 ppid=22587 pid=22588 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chronyc" exe="/usr/bin/chronyc" subj=system_u:system_r:chronyc_t:s0-s0:c0.c1023 key=(null) And in /var/log/messages: setroubleshoot: SELinux is preventing /usr/bin/chronyc from write access on the file /var/lib/check_mk_agent/cache/chrony.cache.new. For complete SELinux messages run: sealert -l 65a1fbb7-c58b-461b-b0e3-74b18e53a659 Section of resulting port 6556 output: ========================================== <<<md>>> Personalities : unused devices: <none> <<<vbox_guest>>> <<<chrony:cached(1523955824,30)>>> <<<postfix_mailq>>> QUEUE_deferred 0 0 QUEUE_active 0 0 <<<postfix_mailq_status:sep(58)>>> postfix:the Postfix mail system is running:PID:1264 <<<job>>> <<<local>>> ========================================== It seems the latest RHEL is a bit stricter with regards to chrony and SELinux and that this exposes an issue with the way the Check_MK agent handles cache files, at least with regards to chrony? If I'm right about this, then something needs to be changed in the Check_MK agent code. (But it could also be a result of a regression in RHEL 7.5's SELinux.) The issue has also been reported to Check_MK Support.
Forgot to add this: $ ls -laZR /var/lib/check_mk_agent/cache /var/lib/check_mk_agent/cache: drwxr-xr-x. root root unconfined_u:object_r:var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. -rw-r--r--. root root system_u:object_r:var_lib_t:s0 chrony.cache
There's now a fix: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=4e56d264c8d85278c37a3bbb6bc334475141b13e I propose that the fix be backported to the Check_MK package in EPEL.
check-mk-1.4.0p31-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-06ca80b0c7
check-mk-1.4.0p31-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-8f18c45fef
check-mk-1.4.0p31-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-854aeb39fd
check-mk-1.4.0p31-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-547c7a0901
check-mk-1.4.0p31-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-854aeb39fd
check-mk-1.4.0p31-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-8f18c45fef
check-mk-1.4.0p31-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-06ca80b0c7
check-mk-1.4.0p31-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-547c7a0901
check-mk-1.4.0p31-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
check-mk-1.4.0p31-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
check-mk-1.4.0p31-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
check-mk-1.4.0p31-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.