Permission error when Nagios user runs a bash script, also with sudo

Nihvel asked:

I want to poweroff my NAS and ESXI when there is a power failure. Both of the system run on a Eaton UPS.
I only run Linux systems and therefore I can not use the Eaton Manager, Windows only.

Since I use Nagios for other tasks, I would like to create a plugin that, using ssh-public-key, can connect to the above systems and power them off.

The public key of the Nagios user is already installed on the root user of the ESXI (the NAS will come later).
When I change user to Nagios (on Nagios server) and manually run the script, this connects to the ESXI and (for the moment) it writes a "testfile" on /tmp. It works.

When the script is ran by Nagios itself, it doesn’t. This script runs as a handler:

define host {
    name                            home-monitoring
    use                             generic-host
    check_period                    24x7
    check_interval                  5
    contact_groups                  admins
    event_handler                   poweroff_host
    register                        0
}

cat /usr/lib64/nagios/plugins/poweroff_host.sh

#!/bin/bash
/usr/bin/ssh [email protected] -i /var/spool/nagios/.ssh/id_rsa "touch /tmp/testfile"

cat /etc/nagios/objects/commands.cfg

define command{
        command_name    poweroff_host
        command_line    sudo /usr/lib64/nagios/plugins/poweroff_host.sh
}

visudo

(at the bottom of the file)
nagios ALL = (root) NOPASSWD:/usr/lib64/nagios/plugins/poweroff_host.sh

I have also added nagios user to the wheel group (using usermod)

# grep wheel /etc/group
wheel:x:10:nagios

And last, I’ve been hitting my head here for the last 4 days and keep getting errors in the log. The last error is:

journalctl -xef

stderr line 01: /usr/lib64/nagios/plugins/poweroff_host.sh: line 2: /usr/bin/ssh: Permission denied

Before visudo, the error was no ssh in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin), at least now I managed to change the kind of error.

Can I please have some help and fix the issue?

UPDATE 1:

[[email protected] ~]# audit2allow -i /var/log/audit/audit.log


#============= nagios_t ==============
allow nagios_t ldconfig_exec_t:file { execute getattr };
allow nagios_t nagios_spool_t:dir create;
allow nagios_t pam_var_run_t:dir write;
allow nagios_t ssh_exec_t:file { execute getattr };
allow nagios_t tmpfs_t:dir write;

Fast forward to semodule command but stderr line 01: /usr/lib64/nagios/plugins/poweroff_host.sh: line 2: /usr/bin/ssh: Permission denied is still there :/

I will try disabling Selinux at all :/

My answer:


So the problem here is that SELinux is not allowing Nagios to do a variety of things which, presumably, you actually want it to do (such as running ssh). It’s impossible for the distribution to guess at all the things you might need Nagios to do, so while the SELinux policy allows most things related to monitoring, it isn’t allowing these things.

You can work around the issue for the time being by setting Nagios to permissive mode (you don’t have to set all of SELinux to permissive, you can do it for individual types):

semanage permissive -a nagios_t

After doing this, the audit log will over time accumulate all of the AVCs you need to create a custom SELinux policy module, if you wish, and after installing that custom policy module you can return SELinux to enforcing for Nagios.

semanage permissive -d nagios_t

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.