Hello,
after upgrading to RHEL6.2 I have problems checking some
filesystems. Always the same three FS on all hosts, others work fine.
/boot
/home
/var/log/audit
$ ./check_nrpe -H backup -c check_fs_boot
DISK CRITICAL - /boot is not accessible: Permission denied
Now I disable SELinux and it works!
$ ./check_nrpe -H backup -c check_fs_boot
DISK OK - free space: /boot 36 MB (39% inode=99%);| /boot=55MB;96;;0;96
Although not a single line is logged on the monitored host, neither
in messages nor in audit.log
I already had a local policy created for the nrpe daemon when RHEL6
was introduced, as somehow many checks failed, although the user
nrpe was running in was allowed to perform all checks, the nrpe
daemon itself couldn't. I'll attach the policy, although at one
point I gave up and just set the entire process to permissive mode.
(note that I tried to extend rights on boot filesystem in this
policy already, although it would seem to be unnecessary)
Anybody experiencing something alike or any suggestions about how to
handle nrpe and RHEL6(.2) in a better way than I am?
Regards,
Dennis
--
..............................................................
Riege Software International GmbH Phone: +49 2159 91480
Mollsfeld 10 Fax: +49 2159 914811
40670 Meerbusch Web: www.riege.com
Germany E-Mail: kuhlme...@riege.com
-- --
Commercial Register: Managing Directors:
Amtsgericht Neuss HRB-NR 4207 Christian Riege
VAT Reg No.: DE120585842 Gabriele Riege
Johannes Riege
..............................................................
YOU CARE FOR FREIGHT, WE CARE FOR YOU
module nrpesudo 1.02;
require {
type boot_t;
type home_root_t;
type http_port_t;
type initrc_t;
type kernel_t;
type locate_var_lib_t;
type nrpe_t;
type pam_var_run_t;
type proc_net_t;
type rpm_exec_t;
type rpm_var_cache_t;
type rpm_var_lib_t;
type sudo_exec_t;
type sysctl_fs_t;
type sysctl_net_t;
type sysstat_log_t;
type tmp_t;
type usr_t;
type var_lib_t;
type var_spool_t;
class capability { audit_write sys_nice };
class file { append create execute execute_no_trans getattr ioctl lock
open read rename setattr unlink write };
class dir { add_name getattr open read remove_name search write };
class lnk_file read;
class netlink_audit_socket { create nlmsg_relay read write };
class sem { create destroy read write unix_write } ;
class sock_file write;
class system module_request;
class tcp_socket name_connect;
class unix_stream_socket connectto;
}
#============= nrpe_t ==============
#evil line
permissive nrpe_t;
allow nrpe_t boot_t:dir { add_name read remove_name write };
allow nrpe_t boot_t:file { append create getattr open read unlink write };
allow nrpe_t home_root_t:dir { add_name read remove_name write };
allow nrpe_t http_port_t:tcp_socket name_connect;
allow nrpe_t initrc_t:unix_stream_socket connectto;
allow nrpe_t kernel_t:system module_request;
allow nrpe_t locate_var_lib_t:dir search;
allow nrpe_t locate_var_lib_t:file { getattr open read };
allow nrpe_t pam_var_run_t:dir { getattr search };
allow nrpe_t rpm_exec_t:file { execute execute_no_trans getattr ioctl open read
};
allow nrpe_t rpm_var_cache_t:dir { add_name getattr read remove_name search
open write };
allow nrpe_t rpm_var_cache_t:file { create open rename setattr unlink };
allow nrpe_t rpm_var_lib_t:dir { getattr open write search };
allow nrpe_t rpm_var_lib_t:file open;
allow nrpe_t tmp_t:dir { add_name read remove_name write };
allow nrpe_t tmp_t:file { append create getattr open read unlink write };
allow nrpe_t proc_net_t:dir { getattr open read search };
allow nrpe_t proc_net_t:file { getattr ioctl open read };
allow nrpe_t self:capability { audit_write sys_nice };
allow nrpe_t self:netlink_audit_socket { create nlmsg_relay read write };
allow nrpe_t sudo_exec_t:file { execute execute_no_trans getattr open read };
allow nrpe_t sysctl_fs_t:dir search;
allow nrpe_t sysctl_fs_t:file read;
allow nrpe_t sysctl_net_t:dir search;
allow nrpe_t sysstat_log_t:file read;
allow nrpe_t sysstat_log_t:lnk_file read;
allow nrpe_t usr_t:file { getattr ioctl open read };
allow nrpe_t usr_t:lnk_file read;
allow nrpe_t var_lib_t:file { getattr lock read write open };
allow nrpe_t var_lib_t:sock_file write;
allow nrpe_t var_spool_t:dir search;
allow nrpe_t self:sem { create destroy read write unix_write } ;
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
