I'm experiencing this bug, <a href="https://bugzilla.redhat.com/show_bug.cgi?id=768055">https://bugzilla.redhat.com/show_bug.cgi?id=768055</a> [<a href="https://bugzilla.redhat.com/show_bug.cgi?id=768055" target="_blank">^</a>]<br />
<br />
<br />
With nagios configured, I run the check_nagios plugin via nrpe.<br />
<br />
The comand <br />
<br />
/usr/lib64/nagios/plugins/check_nagios -e 5 -F /var/log/nagios/status.dat -C /usr/sbin/nagios<br />
<br />
works when run as root locally, but it doesn't when it's run remotely via nrpe with message <br />
<br />
NAGIOS CRITICAL: Cannot open status log for reading!<br />
<br />
If I disable selinux, it works, but nothing shows up in audit.log<br />
<br />
<br />
After running <br />
<br />
semodule -DB<br />
<br />
I start to see messages like<br />
<br />
type=AVC msg=audit(1401996011.223:631): avc: denied { read write } for pid=26037 comm="check_nagios" path="socket:[94529]" dev=sockfs ino=94529 scontext=unconfined_u:system_r:nagios_system_plugin_t:s0 tcontext=unconfined_u:system_r:nrpe_t:s0 tclass=tcp_socket<br />
type=AVC msg=audit(1401996011.223:631): avc: denied { rlimitinh } for pid=26037 comm="check_nagios" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_system_plugin_t:s0 tclass=process<br />
type=AVC msg=audit(1401996011.223:631): avc: denied { siginh } for pid=26037 comm="check_nagios" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_system_plugin_t:s0 tclass=process<br />
type=AVC msg=audit(1401996011.223:631): avc: denied { noatsecure } for pid=26037 comm="check_nagios" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_system_plugin_t:s0 tclass=process<br />
<br />
And finally, the problem can be worked around with<br />
<br />
chcon -t nagios_unconfined_plugin_exec_t check_nagios<br />
<br />
<br />
The selinux policy is<br />
<br />
# rpm -q selinux-policy<br />
selinux-policy-3.7.19-231.el6_5.3.noarch
↧