Bug 1749156 - SELinux file label prevents access include_dir
Summary: SELinux file label prevents access include_dir
Keywords:
Status: MODIFIED
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nrpe
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Martin Jackson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-05 04:01 UTC by Nigel
Modified: 2020-02-29 04:19 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Nigel 2019-09-05 04:01:21 UTC
Description of problem:
When setting the SELinux file label to 'nrpe_etc_t' and 'nagios_etc_t' the nrpe deamon starts up and advises it cannot access the /etc/nagios/nrpe.d directory as configured in the /etc/nagios/nrpe.cfg

```
019-09-04T07:49:29.142982+10:00 enk-nifi-03 nrpe[12711]: Could not open config directory '/etc/nagios/nrpe.d' for reading.
2019-09-04T07:49:29.143497+10:00 enk-nifi-03 nrpe[12711]: Continuing with errors...
2019-09-04T07:49:29.147873+10:00 enk-nifi-03 nrpe[12711]: Starting up daemon
2019-09-04T07:49:29.150269+10:00 enk-nifi-03 nrpe[12711]: Server listening on 0.0.0.0 port 5666.
2019-09-04T07:49:29.150983+10:00 enk-nifi-03 nrpe[12711]: Warning: Daemon is configured to accept command arguments from clients!
2019-09-04T07:49:29.151522+10:00 enk-nifi-03 nrpe[12711]: Listening for connections on port 5666
2019-09-04T07:49:29.152076+10:00 enk-nifi-03 nrpe[12711]: Allowing connections from: xxx.xsx.xsx.xxx, xxx.xsx.xsx.xxx, xxx.xsx.xsx.xxx````

Version-Release number of selected component (if applicable):
```Name        : nrpe
Version     : 3.2.1
Release     : 8.el7
Architecture: x86_64
Install Date: Thu 08 Nov 2018 11:03:36 AEST
Group       : Applications/System
Size        : 364786
License     : GPLv2
Signature   : RSA/SHA256, Wed 17 Oct 2018 02:05:05 AEST, Key ID 6a2faea2352c64e5
Source RPM  : nrpe-3.2.1-8.el7.src.rpm
Build Date  : Wed 17 Oct 2018 01:52:50 AEST
Build Host  : buildvm-06.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://www.nagios.org
Bug URL     : https://bugz.fedoraproject.org/nrpe
Summary     : Host/service/network monitoring agent for Nagios
Description :
Nrpe is a system daemon that will execute various Nagios plugins
locally on behalf of a remote (monitoring) host that uses the
check_nrpe plugin.  Various plugins that can be executed by the
daemon are available at:
http://sourceforge.net/projects/nagiosplug```

How reproducible:

Steps to Reproduce:
1. Define a new check in nagios
2. Copy the check configuration file /etc/nagios/nrpe.d/new_check.cfg 
3. Update the /etc/nagios/nrpe.cfg to use the include_dir=/etc/nagios/nrpe.d
4. Restart the NRPE Agent
5. Run the check from nagios

Actual results:
/usr/lib64/nagios/plugins/check_nrpe -H nifi-03.local -p 5666 -t 30 -c check_nifi_cluster_q                                                            uery
NRPE: Command 'check_nifi_cluster_query' not defined

nrpe.d agent: Could not open config directory '/etc/nagios/nrpe.d' for reading.

Expected results:

[nagios@nagios01-prod 13:57:17] ~
$ /usr/lib64/nagios/plugins/check_nrpe -H nifi-03.local -p 5666 -t 30 -c check_nifi_cluster_query
OK: node nifi-03.local is connected to cluster

Additional info:
Disabling the SElinux allows the check to function
Changing the SELinux file label context to 'etc_t' allows the configuration to be read.

It would be seem to me that nagios_etc_t or nrpe_etc_t labels are too restrictive in RHEL7 for nagios nrpe client.

Ticket raised with nagios: https://github.com/NagiosEnterprises/nrpe/issues/214

Comment 1 Michal Minar 2019-11-20 11:08:52 UTC
nrpe_etc_t seems to be the appropriate context

Executing the following on the monitored hosts fixed the problem for me:

    # ansible -i hosts kvm  -m shell -a "semanage fcontext -a -t nrpe_etc_t '/etc/nrpe\\.d(/.*)' && restorecon -vR /etc/nrpe.d && systemctl restart nrpe"
    lu0536.wdf.sap.corp | CHANGED | rc=0 >>
    restorecon reset /etc/nrpe.d/lcgdm-common.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0
    restorecon reset /etc/nrpe.d/lcgdm-lfc.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0
    restorecon reset /etc/nrpe.d/lcgdm-headnode.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0
    restorecon reset /etc/nrpe.d/lcgdm-disk.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0
    restorecon reset /etc/nrpe.d/commands.cfg context system_u:object_r:nagios_etc_t:s0->system_u:object_r:nrpe_etc_t:s0

Comment 2 Fedora Admin XMLRPC Client 2020-02-25 16:35:09 UTC
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 3 Fedora Update System 2020-02-27 03:30:07 UTC
FEDORA-2020-bb9180bf52 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb9180bf52

Comment 4 Fedora Update System 2020-02-27 03:32:11 UTC
FEDORA-2020-dee27d9c9c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-dee27d9c9c

Comment 5 Fedora Update System 2020-02-27 18:37:54 UTC
nagios-4.4.5-5.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-dee27d9c9c

Comment 6 Fedora Update System 2020-02-28 01:27:13 UTC
nagios-4.4.5-5.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb9180bf52

Comment 7 Fedora Update System 2020-02-29 04:19:00 UTC
FEDORA-EPEL-2020-dbdd968fc0 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-dbdd968fc0


Note You need to log in before you can comment on or make changes to this bug.