Bug 1749156 - SELinux file label prevents access include_dir
Summary: SELinux file label prevents access include_dir
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nrpe
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Jan ONDREJ
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-05 04:01 UTC by Nigel
Modified: 2021-02-18 07:19 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-18 07:19:55 UTC
Type: Bug


Attachments (Terms of Use)

Description Nigel 2019-09-05 04:01:21 UTC
Description of problem:
When setting the SELinux file label to 'nrpe_etc_t' and 'nagios_etc_t' the nrpe deamon starts up and advises it cannot access the /etc/nagios/nrpe.d directory as configured in the /etc/nagios/nrpe.cfg

```
019-09-04T07:49:29.142982+10:00 enk-nifi-03 nrpe[12711]: Could not open config directory '/etc/nagios/nrpe.d' for reading.
2019-09-04T07:49:29.143497+10:00 enk-nifi-03 nrpe[12711]: Continuing with errors...
2019-09-04T07:49:29.147873+10:00 enk-nifi-03 nrpe[12711]: Starting up daemon
2019-09-04T07:49:29.150269+10:00 enk-nifi-03 nrpe[12711]: Server listening on 0.0.0.0 port 5666.
2019-09-04T07:49:29.150983+10:00 enk-nifi-03 nrpe[12711]: Warning: Daemon is configured to accept command arguments from clients!
2019-09-04T07:49:29.151522+10:00 enk-nifi-03 nrpe[12711]: Listening for connections on port 5666
2019-09-04T07:49:29.152076+10:00 enk-nifi-03 nrpe[12711]: Allowing connections from: xxx.xsx.xsx.xxx, xxx.xsx.xsx.xxx, xxx.xsx.xsx.xxx````

Version-Release number of selected component (if applicable):
```Name        : nrpe
Version     : 3.2.1
Release     : 8.el7
Architecture: x86_64
Install Date: Thu 08 Nov 2018 11:03:36 AEST
Group       : Applications/System
Size        : 364786
License     : GPLv2
Signature   : RSA/SHA256, Wed 17 Oct 2018 02:05:05 AEST, Key ID 6a2faea2352c64e5
Source RPM  : nrpe-3.2.1-8.el7.src.rpm
Build Date  : Wed 17 Oct 2018 01:52:50 AEST
Build Host  : buildvm-06.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://www.nagios.org
Bug URL     : https://bugz.fedoraproject.org/nrpe
Summary     : Host/service/network monitoring agent for Nagios
Description :
Nrpe is a system daemon that will execute various Nagios plugins
locally on behalf of a remote (monitoring) host that uses the
check_nrpe plugin.  Various plugins that can be executed by the
daemon are available at:
http://sourceforge.net/projects/nagiosplug```

How reproducible:

Steps to Reproduce:
1. Define a new check in nagios
2. Copy the check configuration file /etc/nagios/nrpe.d/new_check.cfg 
3. Update the /etc/nagios/nrpe.cfg to use the include_dir=/etc/nagios/nrpe.d
4. Restart the NRPE Agent
5. Run the check from nagios

Actual results:
/usr/lib64/nagios/plugins/check_nrpe -H nifi-03.local -p 5666 -t 30 -c check_nifi_cluster_q                                                            uery
NRPE: Command 'check_nifi_cluster_query' not defined

nrpe.d agent: Could not open config directory '/etc/nagios/nrpe.d' for reading.

Expected results:

[nagios@nagios01-prod 13:57:17] ~
$ /usr/lib64/nagios/plugins/check_nrpe -H nifi-03.local -p 5666 -t 30 -c check_nifi_cluster_query
OK: node nifi-03.local is connected to cluster

Additional info:
Disabling the SElinux allows the check to function
Changing the SELinux file label context to 'etc_t' allows the configuration to be read.

It would be seem to me that nagios_etc_t or nrpe_etc_t labels are too restrictive in RHEL7 for nagios nrpe client.

Ticket raised with nagios: https://github.com/NagiosEnterprises/nrpe/issues/214

Comment 1 Michal Minar 2019-11-20 11:08:52 UTC
nrpe_etc_t seems to be the appropriate context

Executing the following on the monitored hosts fixed the problem for me:

    # ansible -i hosts kvm  -m shell -a "semanage fcontext -a -t nrpe_etc_t '/etc/nrpe\\.d(/.*)' && restorecon -vR /etc/nrpe.d && systemctl restart nrpe"
    lu0536.wdf.sap.corp | CHANGED | rc=0 >>
    restorecon reset /etc/nrpe.d/lcgdm-common.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0
    restorecon reset /etc/nrpe.d/lcgdm-lfc.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0
    restorecon reset /etc/nrpe.d/lcgdm-headnode.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0
    restorecon reset /etc/nrpe.d/lcgdm-disk.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0
    restorecon reset /etc/nrpe.d/commands.cfg context system_u:object_r:nagios_etc_t:s0->system_u:object_r:nrpe_etc_t:s0

Comment 2 Fedora Admin XMLRPC Client 2020-02-25 16:35:09 UTC
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 3 Fedora Update System 2020-02-27 03:30:07 UTC
FEDORA-2020-bb9180bf52 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb9180bf52

Comment 4 Fedora Update System 2020-02-27 03:32:11 UTC
FEDORA-2020-dee27d9c9c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-dee27d9c9c

Comment 5 Fedora Update System 2020-02-27 18:37:54 UTC
nagios-4.4.5-5.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-dee27d9c9c

Comment 6 Fedora Update System 2020-02-28 01:27:13 UTC
nagios-4.4.5-5.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb9180bf52

Comment 7 Fedora Update System 2020-02-29 04:19:00 UTC
FEDORA-EPEL-2020-dbdd968fc0 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-dbdd968fc0

Comment 8 Fedora Admin user for bugzilla script actions 2021-02-17 12:05:47 UTC
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Comment 9 Jan ONDREJ 2021-02-18 07:19:55 UTC
This bug is open long time and reported against NRPE3. Currently we have NRPE4 in Fedora/EPEL. Not sure, if this is still present. Closing, but feel free to reopen, if it's still present.


Note You need to log in before you can comment on or make changes to this bug.