Hi,
i had the same problem and did some troubleshooting.
Setting SELinux to permissive with setenforce 0
and looking into the logs with journalctl -f -t setroubleshoot
gave me the following output:
Note: The package setroubleshoot-server
must be present on the system. dnf install setroubleshoot-server
SELinux is preventing /usr/bin/cmk-agent-ctl from execmod access on the file /usr/bin/cmk-agent-ctl.
***** Plugin catchall_boolean (89.3 confidence) suggests ******************
If you want to allow selinuxuser to execmod
Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean.
Do
setsebool -P selinuxuser_execmod 1
***** Plugin catchall (11.6 confidence) suggests **************************
If you believe that cmk-agent-ctl should be allowed execmod access on the cmk-agent-ctl file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cmk-agent-ctl' --raw | audit2allow -M my-cmkagentctl
# semodule -X 300 -i my-cmkagentctl.pp
After setting setsebool -P selinuxuser_execmod 1
the agent works flawlessly.
Root Cause:
RedHat changed the default value of the selinuxuser_execmod
SELinux Boolean with RHEL 9.
If you search for selinuxuser_execmod
on the following page you will find the notice with a reference to the bugzilla entrie.
BR
Topfi