Icinga2: When using a perl plugin within /usr/lib64/nagios/plugins/ directory, selinux is blocking access to it.
Describe the bug
I am running check_snmp_environment.pl (and also check_uptime.pl). I don't think the script itself is relevant, just that it's a perl script.
When trying to run a check using the script, a permission denied error is shown and it goes to UNKNOWN state.
I have looked inside the audit.log and this shines some light on the issue:
type=AVC msg=audit(1579099934.669:422377): avc: denied { execute } for pid=25711 comm="icinga2" name="check_snmp_environment.pl" dev="dm-0" ino=1363713 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1579099934.669:422377): avc: denied { read open } for pid=25711 comm="icinga2" path="/usr/lib64/nagios/plugins/check_snmp_environment.pl" dev="dm-0" ino=1363713 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1579099934.669:422377): avc: denied { execute_no_trans } for pid=25711 comm="icinga2" path="/usr/lib64/nagios/plugins/check_snmp_environment.pl" dev="dm-0" ino=1363713 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
When I set SELinux to 'setenforce 0' the issue disappears. When I set it to 'setenforce 1' it reappears. Therefore it is definitely an SELinux issue.
I am running Centos8. I have the Selinux packages installed (both icinga2 and icingaweb2).
[root@nms audit]# icinga2 --version
icinga2 - The Icinga 2 network monitoring daemon (version: 2.11.2-1)
Copyright (c) 2012-2020 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl2.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
System information:
Platform: CentOS Linux
Platform version: 8 (Core)
Kernel: Linux
Kernel version: 4.18.0-80.11.2.el8_0.x86_64
Architecture: x86_64
Build information:
Compiler: GNU 8.2.1
Build host: unknown
Application information:
General paths:
Config directory: /etc/icinga2
Data directory: /var/lib/icinga2
Log directory: /var/log/icinga2
Cache directory: /var/cache/icinga2
Spool directory: /var/spool/icinga2
Run directory: /run/icinga2
Old paths (deprecated):
Installation root: /usr
Sysconf directory: /etc
Run directory (base): /run
Local state directory: /var
Internal paths:
Package data directory: /usr/share/icinga2
State path: /var/lib/icinga2/icinga2.state
Modified attributes path: /var/lib/icinga2/modified-attributes.conf
Objects path: /var/cache/icinga2/icinga2.debug
Vars path: /var/cache/icinga2/icinga2.vars
PID path: /run/icinga2/icinga2.pid
[root@nms audit]# icinga2 feature list
Disabled features: command compatlog debuglog elasticsearch gelf graphite influxdb livestatus opentsdb perfdata statusdata syslog
Enabled features: api checker ido-pgsql mainlog notification
[root@nms audit]# icinga2 daemon -C
[2020-01-15 15:00:40 +0000] information/cli: Icinga application loader (version: 2.11.2-1)
[2020-01-15 15:00:40 +0000] information/cli: Loading configuration file(s).
[2020-01-15 15:00:40 +0000] information/ConfigItem: Committing config item(s).
[2020-01-15 15:00:40 +0000] information/ApiListener: My API identity: nms.nyl.electrologixs.co.uk
[2020-01-15 15:00:40 +0000] warning/ApplyRule: Apply rule 'ntp_peer' (in /etc/icinga2/conf.d/localsite/services.conf: 15:1-15:24) for type 'Service' does not match anywhere!
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 1 ScheduledDowntime.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 1 FileLogger.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 2 NotificationCommands.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 1 NotificationComponent.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 11 Notifications.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 1 IcingaApplication.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 2 HostGroups.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 2 Hosts.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 1 Downtime.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 1 CheckerComponent.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 3 Zones.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 1 Endpoint.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 2 ApiUsers.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 1 UserGroup.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 1 ApiListener.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 239 CheckCommands.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 1 IdoPgsqlConnection.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 3 TimePeriods.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 1 User.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 20 Services.
[2020-01-15 15:00:40 +0000] information/ConfigItem: Instantiated 3 ServiceGroups.
[2020-01-15 15:00:40 +0000] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars'
[2020-01-15 15:00:40 +0000] information/cli: Finished validating the configuration file(s).
[root@nms audit]#
adamparker
All 5 comments
I think you moved the plugin from your home directory because it is labeled unconfined_u:object_r:user_home_t. So it has definitely the wrong context and you have to restore the correct one with restorecon -v /usr/lib64/nagios/plugins/check_snmp_environment.pl
dgoetz
on 15 Jan 2020
Hi,
Well it looks like you've got it. I had no idea that this was a thing! If Linux wasn't hard enough now we've got to set contexts on files when we move them?
Could you point me in the direction of some documentation regarding this? I must have missed it.
Perhaps it sounds like a stupid question, but how are you expected to load custom plugins? I assume you have to copy it from somewhere. I don't remember this being an issue in previous versions of Linux.
Thanks very much for this pointer. I was googling it for hours! I hope this helps some other poor soul out.
Best Regards,
Adam Parker
adamparker
on 15 Jan 2020
Rest assured, I did not know that either and would have eaten my keyboard.
I'm wondering about the label, maybe this happen with manually running and testing the plugin inside your home directory? Meaning to say, once it is executed it automatically gets a label assigned.
dnsmichi
on 16 Jan 2020
This is default behaviour for SELinux when a file is created it gets labeled and this context is stored in the extended attributes, so when you move it it keeps the label, when you copy it it creates a new one with the correct label.
As for documentation on this behaviour I would recommend https://danwalsh.livejournal.com/56534.html and https://danwalsh.livejournal.com/2639.html as short read, also if it is a bit dated it is still valid.
If you do not want to run with SELinux as additional security feature I recommend setting the system to permissive, so you still get everything labeled, logs created and so on, but it not preventing anything. This will allow switching it on by setting it to enforce anytime later.
dgoetz
on 16 Jan 2020
Thanks for the detailed explanation @dgoetz 馃憤 Closing here.
dnsmichi
on 18 Jan 2020
Related issues
xeiss
路
6Comments
seventh-chord
路
5Comments
ctrlaltca
路
6Comments
marek130
路
6Comments
Duffkess
路
6Comments
Most helpful comment
I think you moved the plugin from your home directory because it is labeled
unconfined_u:object_r:user_home_t. So it has definitely the wrong context and you have to restore the correct one withrestorecon -v /usr/lib64/nagios/plugins/check_snmp_environment.pl