NRPE and SELinux

Ever had an Unable to read output error when executing an Icinga/Nagios remote check using NRPE? I’m pretty sure you had since everyone working with NRPE will run into this error sooner or later. Most solutions are trivial (e.g. wrong file permissions) and I don’t want to repeat the few thousand posts already covering this issue here.

However in a very particular case I had today, I already had eliminated all the usual suspects and still was not able to execute the check from my Icinga host. The check that failed was a Perl file which is automatically rolled out by Puppet along with some other check plugins. On some hosts it worked, on some hosts not and I was not able to figure out what the actual cause was since everything was identical on all hosts. Besides the Unable to read output error message there was no additional information nowhere. Even not when turning on debugging for NRPE.

More or less accidentally I had a look at the SELinux configuration on that box:

[root@somehost plugins]# getenforce 
[root@somehost plugins]# 

Then I checked another box where the check was executed successfully and it was set to permissive. So obviously the reason was found. For testing purposes I set SELinux on the failing host to permissive with this command:

[root@somehost plugins]# setenforce 0
[root@somehost plugins]# getenforce 
[root@somehost plugins]#

I executed the check and it worked as expected. No more error message!

Of course I did not want to have SELinux in permissive mode on that box so I made some investigations. First, I checked the SELinux settings on the failing file:

[root@somehost plugins]# ls -Z
-rwxr-xr-x. root root system_u:object_r:bin_t:s0
[root@somehost plugins]# 

Then I checked the settings of a file which was installed along with NRPE’s RPM:

[root@somehost plugins]# ls -Z check_swap 
-rwxr-xr-x. root root system_u:object_r:nagios_system_plugin_exec_t:s0 check_swap
[root@somehost plugins]# 

Obviously the SELinux type was different. So I changed the settings of the failing plugin and made them identical with the above shown check_swap:

[root@somehost plugins]# chcon system_u:object_r:nagios_system_plugin_exec_t:s0

Of course I already had the overall SELinux setting of that machine set back to enabled by that time. Now I checked again and it still worked. So the final solution was found!

The last step was to have everything configured in Puppet. I never made SELinux stuff in Puppet before. But it turned out to be quite easy. Just use the arguments of the chcon command shown above and add the appropriate attributes to the file resource responsible for the check plugin like this:

  file { "/usr/lib64/nagios/plugins/":
    owner => "root",
    group => "root",
    mode => "0755" ,
    replace => true,
    source => "puppet:///modules/icinga/",
    require => Package["nagios-plugins-nrpe"],
    seluser => "system_u",
    selrole => "object_r",
    seltype => "nagios_system_plugin_exec_t",
    selrange => "s0",

After committing this change I just had to sit back and wait until all red Icinga lights went off. Great thing, but hard to find out.


No comments yet.

Leave a Reply

* Copy This Password *

* Type Or Paste Password Here *