OS upgrade from RHEL 7.5 to 7.6 prevents Nagios nrpe checks from running
Environment
- Red Hat Enterprise Linux (RHEL) 7.6
- nagios or nrpe
- selinux-policy-targeted-3.13.1-229.el7_6.5.noarch
- sudo-1.8.23-3.el7.x86_64
Issue
nrpe
checks inNagios
usingsudo
stopped working after update toRHEL 7.6
nrpe
plugin can not execute commands viasudo
anymore
Resolution
Bug 1653309 is tracking the fix release for RHEL 7.7
Bug 1692893 is tracking the fix release for RHEL 7.6.Z Stream.
As a workaround, a local SELinux
policy can be created:
# cat > nagios-sudo.cil << EOF
(allow systemd_logind_t nrpe_t (dbus (send_msg)))
(allow nrpe_t systemd_logind_t (dbus (send_msg)))
(allow nrpe_t systemd_logind_t (process (getattr)))
(allow systemd_logind_t nagios_unconfined_plugin_t (dbus (send_msg)))
EOF
# semodule -i nagios-sudo.cil
The list of rules necessary to work around the issue temporarily is dependent on the current system setup and on modules which are used.
Root Cause
The regression is a result of sudo
rebase in RHEL 7.6
, see the sudo skips PAM account module in case NOPASSWD is used in sudoers bugzilla for more details. The denial is triggered when the nagios
plugin uses sudo
with NOPASSWD
option.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments