mcktr / check_fritz

Check plugin written in Go to monitor a Fritz!Box
GNU General Public License v2.0
32 stars 10 forks source link

execvpe(/usr/lib64/nagios/plugins/check_fritz) failed: Permission denied #84

Closed ghost closed 4 years ago

ghost commented 4 years ago

Hi,

I just set up a new Icinga2 monitoring instance and began adding hosts starting with my Fritz!Box 5490. This is when I came across this amazing plugin. I installed it according to the "Installtion" chapter in the docs without any issues, but as soon as I restart the icinga2 service I am getting the above error displayed for the check on my IcingaWeb2 dashboard.

The icinga2 log (/var/log/icinga2/icinga2.log) shows the following recurring entry: [2020-06-30 08:16:00 +0200] warning/PluginCheckTask: Check command for object 'FRITZBox 5490!WAN Status' (PID: 143277, arguments: '/usr/lib64/nagios/plugins/check_fritz' '--method' 'connection_status' '--password' 'xxxxxxxx' '--username' 'icinga2') terminated with exit code 128, output: execvpe(/usr/lib64/nagios/plugins/check_fritz) failed: Permission denied

So I thought I messed up my file permission which look like this:

[root@z25-icinga-mstr admin]# ls -la /usr/lib64/nagios/plugins/
insgesamt 14100
drwxr-xr-x. 3 root root      4096 29. Jun 14:58 .
drwxr-xr-x. 3 root root        21 29. Aug 2019  ..
-rwxr-xr-x. 1 root root     34136 24. Mai 23:03 check_dummy
-rwxr-xr-x. 1 root root      5066 24. Mai 23:03 check_file_age
-rwxr-xr-x. 1 root root      6504 24. Mai 23:03 check_flexlm
-rwsr-x---. 1 root nagios   59784 24. Mai 23:03 check_fping
-rwxr-xr-x. 1 root icinga 7499745 29. Jun 14:57 check_fritz
...

Note that I added the "icinga" group while debugging it used to be root like almost all file in the plugins directory.

To be sure it is not a permission issue I tried running the check manually as the "icinga" user, which works fine: [root@xxxxxx xxxx]# sudo -H -u icinga '/usr/lib64/nagios/plugins/check_fritz' '--method' 'connection_status' '--password' 'xxxxxxxx' '--username' 'icinga2' OK - Connection Status: Connected; External IP: 89.245.xxx.xxx

Any suggestion on what might be wrong here?

Edit: Just found another clue. The error seems to be caused by SELinux:

[root@xxxxxxx xxxxxx]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1593502140.290:2579): avc:  denied  { execute } for  pid=144517 comm="icinga2" name="check_fritz" dev="dm-0" ino=100855371 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1593502200.290:2580): avc:  denied  { execute } for  pid=144531 comm="icinga2" name="check_fritz" dev="dm-0" ino=100855371 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1593502260.290:2581): avc:  denied  { execute } for  pid=144546 comm="icinga2" name="check_fritz" dev="dm-0" ino=100855371 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1593502320.290:2582): avc:  denied  { execute } for  pid=144560 comm="icinga2" name="check_fritz" dev="dm-0" ino=100855371 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1593502380.290:2583): avc:  denied  { execute } for  pid=144575 comm="icinga2" name="check_fritz" dev="dm-0" ino=100855371 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1593502440.290:2584): avc:  denied  { execute } for  pid=144589 comm="icinga2" name="check_fritz" dev="dm-0" ino=100855371 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1593502500.290:2585): avc:  denied  { execute } for  pid=144603 comm="icinga2" name="check_fritz" dev="dm-0" ino=100855371 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1593502560.290:2586): avc:  denied  { execute } for  pid=144618 comm="icinga2" name="check_fritz" dev="dm-0" ino=100855371 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1593502620.290:2587): avc:  denied  { execute } for  pid=144633 comm="icinga2" name="check_fritz" dev="dm-0" ino=100855371 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1593502680.290:2588): avc:  denied  { execute } for  pid=144652 comm="icinga2" name="check_fritz" dev="dm-0" ino=100855371 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1593502740.290:2589): avc:  denied  { execute } for  pid=144673 comm="icinga2" name="check_fritz" dev="dm-0" ino=100855371 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
mcktr commented 4 years ago

Hi,

which OS you are using? Typically the icinga user is used on RPM based distributions like CentOS, Red Hat, but you also have a nagios user which is typically for DEB based distributions like Debian, Ubuntu.

Did you copied/moved the check_fritz plugin from your home directory to your plugin directory? It is labeled unconfined_u:object_r:admin_home_t so it hat the wrong context. You can restore the correct context with restorecon -v /usr/lib64/nagios/plugins/check_fritz

Best regards Michael

ghost commented 4 years ago

Did you copied/moved the check_fritz plugin from your home directory to your plugin directory? It is labeled unconfined_u:object_r:admin_home_t so it hat the wrong context. You can restore the correct context with restorecon -v /usr/lib64/nagios/plugins/check_fritz

Indeed this is exactly what happend and your suggestion works perfectly, many thanks. Maybe you could include a heads up in the docs for (SE)Linux noobs like me. :)