OS upgrade from RHEL 7.5 to 7.6 prevents Nagios nrpe checks from running

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7.6
  • nagios or nrpe
  • selinux-policy-targeted-3.13.1-229.el7_6.5.noarch
  • sudo-1.8.23-3.el7.x86_64

Issue

  • nrpe checks in Nagios using sudo stopped working after update to RHEL 7.6
  • nrpe plugin can not execute commands via sudo anymore

Resolution

Bug 1653309 is tracking the fix release for RHEL 7.7
Bug 1692893 is tracking the fix release for RHEL 7.6.Z Stream.

As a workaround, a local SELinux policy can be created:

  # cat > nagios-sudo.cil << EOF
(allow systemd_logind_t nrpe_t (dbus (send_msg)))
(allow nrpe_t systemd_logind_t (dbus (send_msg)))
(allow nrpe_t systemd_logind_t (process (getattr)))
(allow systemd_logind_t nagios_unconfined_plugin_t (dbus (send_msg)))
EOF

  # semodule -i nagios-sudo.cil

The list of rules necessary to work around the issue temporarily is dependent on the current system setup and on modules which are used.

Root Cause

The regression is a result of sudo rebase in RHEL 7.6, see the sudo skips PAM account module in case NOPASSWD is used in sudoers bugzilla for more details. The denial is triggered when the nagios plugin uses sudo with NOPASSWD option.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

Really annoying bug indeed. Even setting the (new) seboolean to nagios_run_sudo does not fix it. I can confirm it is only when using NOPASSWD in sudo config.