The same result also with the all needed parameters for the registration.
I am not able to debug the cmk-agent-ctl since it is in binary form:
[root@CHECKMK services]# less /usr/bin/cmk-agent-ctl
“/usr/bin/cmk-agent-ctl” may be a binary file. See it anyway?
i had the same problem and did some troubleshooting.
Setting SELinux to permissive with setenforce 0 and looking into the logs with journalctl -f -t setroubleshoot gave me the following output:
Note: The package setroubleshoot-server must be present on the system. dnf install setroubleshoot-server
SELinux is preventing /usr/bin/cmk-agent-ctl from execmod access on the file /usr/bin/cmk-agent-ctl.
***** Plugin catchall_boolean (89.3 confidence) suggests ******************
If you want to allow selinuxuser to execmod
Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean.
Do
setsebool -P selinuxuser_execmod 1
***** Plugin catchall (11.6 confidence) suggests **************************
If you believe that cmk-agent-ctl should be allowed execmod access on the cmk-agent-ctl file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cmk-agent-ctl' --raw | audit2allow -M my-cmkagentctl
# semodule -X 300 -i my-cmkagentctl.pp
After setting setsebool -P selinuxuser_execmod 1 the agent works flawlessly.
Root Cause:
RedHat changed the default value of the selinuxuser_execmod SELinux Boolean with RHEL 9.
If you search for selinuxuser_execmod on the following page you will find the notice with a reference to the bugzilla entrie.
# as root this sefaults
[root@rocky9 ~]# cmk-agent-ctl --version
Segmentation fault (core dumped)
Why execmod ?
How is it labeled ?
[root@rocky9 ~]# ldd /usr/bin/cmk-agent-ctl
not a dynamic executable
[root@rocky9 ~]# ls -Z /usr/bin/cmk-agent-ctl
system_u:object_r:bin_t:s0 /usr/bin/cmk-agent-ctl
\ /\ /\ /\ /
------ ------- ---- --
user role type MLS (multi layered security)
Only type is relevant in this context.
@topfi this is a solution, thanks for that but two things to notice:
You have to reinstall the check-mk-agent rpm package because it also faileld to add a user when this selinux boolean is not set and selinux is enabled.
This sebool will not only allow cmk-agent-ctl to work but also weakens the selinux policy for other binaries !
setsebool -P selinuxuser_execmod 1
But I think this is still better than disabling selinux completely.
PS: the exemod is needed because cmk-agent-ctl is a compressed binary.
To uncompress itself it needs this permission/syscall)
What we need is perhaps a dedicated selinux label for the cmk-agent-ctl and a policy that only allows binaries with that label to to execmod.
Proposal: We label
/usr/bin/cmk-agent-ctl as system_u:object_r:cmk_agent_bin_t:s0 instead of system_u:object_r:bin_t:s0 and then write a policy to allow:
Sorry I’m not on RHEL 9 and CMK 2.1.
Right now i have no time to look into this - Sorry again.
But what you could do is set selinux to permissive.
Install the client and the run audit2allow to generate a policy extension that will give all the needed permissions to checkmk.
The best solution would of course be to have a dedicated security context for the agent, but that is a little more work.
The generated policy extension can be compiled and inserted into the policy like described in my original post about selinux.
Be sure to check the generated policy extension before compiling and using it. audit2allow creates a extension that allows everything that has been blocked by selinux. Might even be a completely unrelated process that was started at the same time as the agent installation.
Technical backgound: The cmk-agent-ctl executable is statically linked to maximize compatibility. As a downside, it is 8MB in size. To mitigate this, we used to compress the cmk-agent-ctl executable with UPX and ended up with a 4MB sized executable. But it turned out that running the UPX-packed executable uses text relocation, leading to the issue with SELinux.
Starting with the mentioned Werk, we compress cmk-agent-ctl with gzip (again leading to a file of 4MB), and decompress it during package installation. This way, we end up with the untouched executable that SELinux does not complain about.
That said, please let us know if you encounter additional issues with this new approach!
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.