Incorrect SELinux label on nrpe_ansible.cfg under RHEL/Rocky 8

[iay]

The way the nrpe_ansible.cfg file is created means that it inherits its SELinux label from the /etc/nagios directory:

[root@r8c nagios]# ls -laZ
total 28
drwxrwxr-x.   2 root root system_u:object_r:nagios_etc_t:s0   46 Oct  9 13:39 .
drwxr-xr-x. 118 root root system_u:object_r:etc_t:s0        8192 Oct  9 13:39 ..
-rw-r--r--.   1 root root system_u:object_r:nagios_etc_t:s0  674 Oct  9 13:39 nrpe_ansible.cfg
-rw-r--r--.   1 root root system_u:object_r:nrpe_etc_t:s0   8229 Oct  9 13:39 nrpe.cfg

Unfortunately this means it isn't readable by the nrpe daemon, resulting in failures if SELinux is in enforcing mode.

I assume that nrpe.cfg escapes this problem either because it already existed as part of the package install, or because there's SELinux support for /etc/nagios/nrpe.cfg specifically. It has the correct label, anyway.

Fixing it seems to be fairly straightforward. I did this in a fork:

# Create nrpe_ansible.cfg
- name: Create nrpe_ansible.cfg from template
  template:
    src: "nrpe_ansible.cfg.j2"
    dest: "{{ nagios_nrpe_server_dir }}/nrpe_ansible.cfg"
    owner: root
    group: root
    mode: 0644
    setype: nrpe_etc_t
  notify: restart nagios-nrpe-server

Adding the setype option results in the following:

[root@r8c nagios]# ls -laZ
total 28
drwxrwxr-x.   2 root root system_u:object_r:nagios_etc_t:s0   46 Oct  9 13:39 .
drwxr-xr-x. 118 root root system_u:object_r:etc_t:s0        8192 Oct  9 13:39 ..
-rw-r--r--.   1 root root system_u:object_r:nrpe_etc_t:s0    674 Oct  9 13:39 nrpe_ansible.cfg
-rw-r--r--.   1 root root system_u:object_r:nrpe_etc_t:s0   8229 Oct  9 13:39 nrpe.cfg

The daemon is now able to read the file and commands are available as expected.