Quick Links

Workaround for Nagios check_linux_raid failure in RHEL / CentOS 6.2

I recently stumbled upon another Nagios plugin that no longer works with SELinux under RHEL / CentOS 6.2: check_linux_raid.

Just like the check_disk plugin, it has the nagios_checkdisk_plugin_exec_t SELinux type. As of May 2012, this problem has not yet been fixed.

The workaround is simple, as with the check_disk plugin:

chcon -t nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_linux_raid

Or, for 32-bit systems:

chcon -t nagios_unconfined_plugin_exec_t /usr/lib/nagios/plugins/check_linux_raid

May 8th, 2012 | Tags: , , , , | Category: Work | Leave a comment

PNP4Nagios with SElinux on CentOS / RHEL 6

PNP4Nagios is commonly used to add performance graphs to a Nagios installation.

For additional security, SElinux is enabled on the monitoring host. There is no standard SElinux policy for applications like PNP4Nagios, so we need to develop a custom policy. This sounds harder than it actually is:

Run the software as you normally would (SElinux will interfere, so prepare for errors)
Extract audit messages and use them to create or update a local SElinux policy for the software
Repeat until everything works

In this example, I am running Nagios 3.2.3 with PNP4Nagios 0.6.16 on EL6, 64-bit.

After configuring Nagios and PNP4Nagios integration in Synchronous Mode (see [...]

Continue reading PNP4Nagios with SElinux on CentOS / RHEL 6

February 13th, 2012 | Tags: , , , , , | Category: Work | Comments are closed

Workaround for Nagios check_disk failure in RHEL / CentOS 6.2

After updating from EL 6.1 to 6.2, the Nagios “check_disk” plugin suddenly stopped working with “Permission denied” errors. This problem is related to the SElinux policy (you *are* running with SElinux enabled, aren’t you?).

By default, these AVC denials are not logged in /var/log/audit/audit.log which makes this problem harder to spot (if you want, you can enable all audit-messages by running semodule -DB).

There are at least two relevant entries in Bugzilla:

Bug 771245 – nagios-plugins-disk fails when checking /boot on RHEL6.2 boxes
Bug 768055 – SELinux silent denials of Nagios NRPE check of /boot

Fortunately, there is a simple workaround while we wait for an updated [...]

Continue reading Workaround for Nagios check_disk failure in RHEL / CentOS 6.2

January 18th, 2012 | Tags: , , , , | Category: Work | Comments are closed

Making Cobbler work with SElinux on CentOS / RHEL 6

By default, Cobbler will not work properly on a CentOS / RHEL 6 machine with SElinux enabled. The easy way out is to disable SElinux entirely, but I prefer to write a custom policy instead – it is not that difficult.

The basic approach is this:

Use Cobbler as you normally would (you will trigger several SElinux denials, so expect errors)
Extract the relevant SElinux audit messages; convert them into a local policy
Load your local policy
Repeat steps 1..3 until everything works as expected

First attempt: the “cobbler import” command fails; rsync cannot access files on the mounted DVD ISO. Time to start writing a [...]

Continue reading Making Cobbler work with SElinux on CentOS / RHEL 6

December 19th, 2011 | Tags: , , , , | Category: Work | One comment - (Comments are closed)

Tip: Fedora 14 and Dropbox

The current version of Dropbox does not behave nicely on Fedora 14 – the Dropbox update daemon attempts to execute code from stack. This is prohibited by SELinux (and rightly so).

There is a workaround (taken from the Dropbox Support forum):

/usr/bin/execstack -c ~/.dropbox-dist/_ctypes.so

Let’s hope that Dropbox releases a proper fix for this problem soon.

May 2nd, 2011 | Tags: , , , , , | Category: Work | Comments are closed
 
  Older Entries »