Using the RHEL standard check_pgsql nagios plugin (with Icinga2), SELinux was not letting the plugin run.
CRITICAL – no connection to ‘schemaname’ (could not connect to server: Permission denied
Is the server running locally and accepting connections on Unix Domain socket “/tmp/.s.PGSQl.123”?
).
Whilst the command would run locally as any user that had permission to run the plugin, when it was done via NRPE it would fail.
Checking the context of the files, they were correct.
ls -lZ /usr/lib64/nagios/plugins/check_pgsql
-rwxr-x-r root root system_u:object_r:nagios_servers_plugin_exec_t:s0 /usr/lib64/nagios/pluginss/check_pgsql
So looking at /var/log/audit/audit.log, there was the entry:
type=AVC msg=audit(1492518731.184:9097): avc: denied { write } for
pid=8985 comm=”check_pgsql” name=”.s.PGSQL.5432″ dev=dm-0 ino=521504
scontext=unconfined_u:system_r:nagios_services_plugin_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
audit2allow is your friend for sorting this sort of thing out.
audit2allow -a type=AVC msg=audit(1492518731.184:9097): avc: denied { write } for
pid=8985 comm=”check_pgsql” name=”.s.PGSQL.5432″ dev=dm-0 ino=521504
scontext=unconfined_u:system_r:nagios_services_plugin_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
# audit2allow -a
#============= nagios_services_plugin_t ============== allow nagios_services_plugin_t tmp_t:sock_file write; allow nagios_services_plugin_t tomcat_t:unix_stream_socket connectto; [root@spacewalk audit]# audit2allow -a -M nagios_services_plugin_t
******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i nagios_services_plugin_t.pp
[root@spacewalk audit]# semodule -i nagios_services_plugin_t.pp
Job done.