Description of problem: When setting the SELinux file label to 'nrpe_etc_t' and 'nagios_etc_t' the nrpe deamon starts up and advises it cannot access the /etc/nagios/nrpe.d directory as configured in the /etc/nagios/nrpe.cfg ``` 019-09-04T07:49:29.142982+10:00 enk-nifi-03 nrpe[12711]: Could not open config directory '/etc/nagios/nrpe.d' for reading. 2019-09-04T07:49:29.143497+10:00 enk-nifi-03 nrpe[12711]: Continuing with errors... 2019-09-04T07:49:29.147873+10:00 enk-nifi-03 nrpe[12711]: Starting up daemon 2019-09-04T07:49:29.150269+10:00 enk-nifi-03 nrpe[12711]: Server listening on 0.0.0.0 port 5666. 2019-09-04T07:49:29.150983+10:00 enk-nifi-03 nrpe[12711]: Warning: Daemon is configured to accept command arguments from clients! 2019-09-04T07:49:29.151522+10:00 enk-nifi-03 nrpe[12711]: Listening for connections on port 5666 2019-09-04T07:49:29.152076+10:00 enk-nifi-03 nrpe[12711]: Allowing connections from: xxx.xsx.xsx.xxx, xxx.xsx.xsx.xxx, xxx.xsx.xsx.xxx```` Version-Release number of selected component (if applicable): ```Name : nrpe Version : 3.2.1 Release : 8.el7 Architecture: x86_64 Install Date: Thu 08 Nov 2018 11:03:36 AEST Group : Applications/System Size : 364786 License : GPLv2 Signature : RSA/SHA256, Wed 17 Oct 2018 02:05:05 AEST, Key ID 6a2faea2352c64e5 Source RPM : nrpe-3.2.1-8.el7.src.rpm Build Date : Wed 17 Oct 2018 01:52:50 AEST Build Host : buildvm-06.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.nagios.org Bug URL : https://bugz.fedoraproject.org/nrpe Summary : Host/service/network monitoring agent for Nagios Description : Nrpe is a system daemon that will execute various Nagios plugins locally on behalf of a remote (monitoring) host that uses the check_nrpe plugin. Various plugins that can be executed by the daemon are available at: http://sourceforge.net/projects/nagiosplug``` How reproducible: Steps to Reproduce: 1. Define a new check in nagios 2. Copy the check configuration file /etc/nagios/nrpe.d/new_check.cfg 3. Update the /etc/nagios/nrpe.cfg to use the include_dir=/etc/nagios/nrpe.d 4. Restart the NRPE Agent 5. Run the check from nagios Actual results: /usr/lib64/nagios/plugins/check_nrpe -H nifi-03.local -p 5666 -t 30 -c check_nifi_cluster_q uery NRPE: Command 'check_nifi_cluster_query' not defined nrpe.d agent: Could not open config directory '/etc/nagios/nrpe.d' for reading. Expected results: [nagios@nagios01-prod 13:57:17] ~ $ /usr/lib64/nagios/plugins/check_nrpe -H nifi-03.local -p 5666 -t 30 -c check_nifi_cluster_query OK: node nifi-03.local is connected to cluster Additional info: Disabling the SElinux allows the check to function Changing the SELinux file label context to 'etc_t' allows the configuration to be read. It would be seem to me that nagios_etc_t or nrpe_etc_t labels are too restrictive in RHEL7 for nagios nrpe client. Ticket raised with nagios: https://github.com/NagiosEnterprises/nrpe/issues/214
nrpe_etc_t seems to be the appropriate context Executing the following on the monitored hosts fixed the problem for me: # ansible -i hosts kvm -m shell -a "semanage fcontext -a -t nrpe_etc_t '/etc/nrpe\\.d(/.*)' && restorecon -vR /etc/nrpe.d && systemctl restart nrpe" lu0536.wdf.sap.corp | CHANGED | rc=0 >> restorecon reset /etc/nrpe.d/lcgdm-common.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0 restorecon reset /etc/nrpe.d/lcgdm-lfc.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0 restorecon reset /etc/nrpe.d/lcgdm-headnode.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0 restorecon reset /etc/nrpe.d/lcgdm-disk.cfg context system_u:object_r:etc_t:s0->system_u:object_r:nrpe_etc_t:s0 restorecon reset /etc/nrpe.d/commands.cfg context system_u:object_r:nagios_etc_t:s0->system_u:object_r:nrpe_etc_t:s0
This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component.
FEDORA-2020-bb9180bf52 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb9180bf52
FEDORA-2020-dee27d9c9c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-dee27d9c9c
nagios-4.4.5-5.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-dee27d9c9c
nagios-4.4.5-5.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb9180bf52
FEDORA-EPEL-2020-dbdd968fc0 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-dbdd968fc0
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
This bug is open long time and reported against NRPE3. Currently we have NRPE4 in Fedora/EPEL. Not sure, if this is still present. Closing, but feel free to reopen, if it's still present.