I am not sure if this is a bug or wad. Regardless, I need assistance with creating the /var/run/nrpe folder at boot. This worked before the upgrade to Fedora27, and yes, I may regress to Fedora26 because of it.

Typically one can create the appropriate folders in /run (aka symbolic link /var/run) using a "d" statement in the relative /usr/lib/tmpfiles.d/nrpe.conf file.

Code: Select all

d /var/run/nrpe 0775 nrpe nrpe -
f /var/run/nrpe/nrpe.pid 755 nrpe nrpe

But,

SELinux is preventing (mkdir) from mounton access on the directory /run/nrpe

error results. I can create the folder and launch nrpe after the fact with root privileges, and it works fine until the next boot. I have tried creating the directory using an ExecStartPre= statement in the enabled nrpe.service file to no avail.

Code: Select all

[Service]
Type=simple
Restart=on-abort
ExecStartPre=-/usr/bin/mkdir /var/run/nrpe
RuntimeDirectory=nrpe
PIDFile=/var/run/nrpe/nrpe.pid
RuntimeDirectoryMode=0755
ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/rm -f /var/run/nrpe/nrpe.pid
TimeoutStopSec=60
User=nrpe
Group=nrpe
PrivateTmp=true
OOMScoreAdjust=-500


In each scenario SELinux is preventing the mkdir. I even added appropriate filecontext type to the folder after creating it manually. This did not help with the reboot.

Any suggestions would be appreciated. Thanks in advance.

Well, I may have resolved my own problem. Just to test that all would work without SELinux, I changed the enforcing to permissive mode. [I typically try to avoid this.]

Code: Select all

setenforce 0

I then restarted the nrpe service.

Code: Select all

systemctl restart nrpe

All came up as expected with exception of the nrpe.pid file creation.

I rebooted the system and immediately checked the status of the nrpe service. Folder and file were created successfully. But, SELinux was still preventing read/write to nrpe.pid file. It was created but had the incorrect fcontext type. I changed it accordingly.

Code: Select all

semanage fcontext -a -t nrpe_var_run_t /var/run/nrpe/nrpe.pid
restorecon -v /var/run/nrpe/nrpe.pid

I restarted the service again and found the file nrpe.pid removal command was preventing it from properly restarting. So I commented out that command in the nrpe.service file.

Code: Select all

#ExecStopPost=/bin/rm -f /var/run/nrpe/nrpe.pid

Disabled and then re-enabled the service to transfer the changes to the nrpe.service file.

Code: Select all

systemctl disable nrpe
systemctl enable nrpe

You may be able to accomplish this with the systemctl daemon-reload command, but I did not attempt it.

Then I rebooted once more. The appropriate folder and files were created for nrpe in the /run location. I also confirmed that SELinux was once again enforcing. Now restarts of the nrpe service and reboots have it working as preferred. It would seem one has to create the SELinux conditions in permissive mode for the very first time for Fedora27 before it will allow same in enforcing mode...at least that is my perception. Again, this follows an upgrade from Fedora26 which worked previously. Perhaps someone may be able to explain why the steps I took were necessary?

I hope this is helpful to others.