SELinux prevents Nagios plugins from running on RHEL6
Solution 1:
This should be fixed by this errata: http://rhn.redhat.com/errata/RHBA-2012-0780.html
Solution 2:
Well, first decide if you want SELinux. All EL based ones have it installed and enabled by default, but pretty much no other distro does. It gives you a bit of security, but more than a bit of headaches, so you have to weigh one way or the other whether you want it. If you don't, you can disable it in the /etc/selinux/config. The comments in the file will tell you exactly what to do.
If you want you can also try to lower it. If its currently set to enforcing you can switch it to permissive and see if it lets you run NRPE. Also you may be able to find some more walkthroughs on setting up NRPE using SELinux. Honestly I always find it to be too much of an annoyance to be worth the security. HTH
Edit: You can find a bunch of the selinux bools for nagios here: http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
Solution 3:
If the nrpe_disable_trans
boolean is not an option:
You can follow these instructions to create your own policy to allow NRPE. Basically, this would involve running SELinux in permissive mode long enough for your Nagios server to execute all of the scheduled NRPE checks. Then, you can pipe them from the audit.log file to audit2allow. This will build the required policies for your review and inclusion.
Thomas Bleher's nrpe.te file might also serve as a useful starting point or reference for building your own policy.
Solution 4:
I noticed that the AVC message contains path="/usr/bin/sudo"
. This means that NRPE is b0rking when trying to use sudo
to invoke a plugin.
The first (but by NO means last!) thing you'll have to do to allow this:
sudo setsebool -P nagios_run_sudo on
(-P
writes the change to the policy file on disk. So it will be persistent across reboots.)
Now your plugin will run as root. But it most likely can't do anything complicated (e.g. run programs that have a domain other than bin_t
), because your plugin still running as the nrpe_t
domain. This domain very deliberately has restrictive permissions; it can't even write to files in /tmp.