SELinux prevents Nagios plugins from running on RHEL6

linux selinux nagios nrpe

Solution 1:

This should be fixed by this errata: http://rhn.redhat.com/errata/RHBA-2012-0780.html

Solution 2:

Well, first decide if you want SELinux. All EL based ones have it installed and enabled by default, but pretty much no other distro does. It gives you a bit of security, but more than a bit of headaches, so you have to weigh one way or the other whether you want it. If you don't, you can disable it in the /etc/selinux/config. The comments in the file will tell you exactly what to do.

If you want you can also try to lower it. If its currently set to enforcing you can switch it to permissive and see if it lets you run NRPE. Also you may be able to find some more walkthroughs on setting up NRPE using SELinux. Honestly I always find it to be too much of an annoyance to be worth the security. HTH

Edit: You can find a bunch of the selinux bools for nagios here: http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

Solution 3:

If the nrpe_disable_trans boolean is not an option:

  1. You can follow these instructions to create your own policy to allow NRPE. Basically, this would involve running SELinux in permissive mode long enough for your Nagios server to execute all of the scheduled NRPE checks. Then, you can pipe them from the audit.log file to audit2allow. This will build the required policies for your review and inclusion.

  2. Thomas Bleher's nrpe.te file might also serve as a useful starting point or reference for building your own policy.

Solution 4:

I noticed that the AVC message contains path="/usr/bin/sudo". This means that NRPE is b0rking when trying to use sudo to invoke a plugin.

The first (but by NO means last!) thing you'll have to do to allow this:

sudo setsebool -P nagios_run_sudo on

(-P writes the change to the policy file on disk. So it will be persistent across reboots.)

Now your plugin will run as root. But it most likely can't do anything complicated (e.g. run programs that have a domain other than bin_t), because your plugin still running as the nrpe_t domain. This domain very deliberately has restrictive permissions; it can't even write to files in /tmp.

Related

Permissions or ACL for Scheduled Tasks
If $a_n\ge0$ and $\sum a_n$ converges then $\sum\sqrt{a_na_{n-1}}$ converges, what about the converse?
The map $f(u+v) = u - v$ is an isomorphism on a direct product
Prove that $\sqrt[5]{5} \notin \mathbb{Q}(e^\frac{2 \pi i}{25})$
Finding an infinite union of disjoint infinite sets to add up to natural numbers [duplicate]
When extending the sides $AB,BC,CA$ of $\Delta ABC$ to $B',C',A'$ respectively, such that $AB' = 2AB$ , $CC' = 2BC$ , $AA' = 3CA$ .
Number of distinct connected digraphs with 4 vertices and 6 edges
Is a mathematical group also a mathematical "space"? [duplicate]
Where's my mistake in my attempt at showing that the squared sum of normally distributed variables is a $\chi^2$ distribution?
Peculiar Question on Unlimited Hypernaturals
Tricky elementary integral $\int_{0}^{\frac{\pi}{2}}x\cot(x)dx$.
Intersection number of very ample divisor and curve on a surface equals the degree