Hi,
csync2 is running fine on a RHEL 9.6 where selinux is configured in Enforcing mode.
NB: the /sbin/csync2 -x is run every minute from the root crontab, as root. First question: is csync2 meant to be run as root? I suppose yes, as privileges needed by csync2 to read and write files can be of any sort.
I wish to monitor the health of the csync2 setup, from Icinga.
Plugin - step 1 - run as root
Therefore, I have implemented a plugin in which the main command is csync2 -TT.
The plugin works fine if run from the command line as root, but failed to run from the command line with a sudo: sudo -u icinga /usr/lib64/nagios/plugins/check_csync2.sh
Plugin - step 2 - run as icinga
So, in /etc/sudoers.d/icinga I have added lines that enables the icinga user to run csync2 as root, and in the script, I have added sudo in front of all the csync2 commands.
This allowed the script to be run as root from the command line with sudo -u icinga in front.
However, the plugin failed when run from the agent, and the resulting /var/log/audit/audit.log file contains many lines that do not make sense to me.
Plugin - step 3 - run from the Icinga agent
This is where I am stuck. If I disable selinux (setenforce Permissive), then the plugin runs successfully from the Icinga agent, and I can see the result in the IcingaWeb display. So my conclusion is that the solution is to be found within the selinux configuration. But of course I know nothing about selinux 
From the error messages in /var/log/audit/audit.log, I understand selinux prevents the icinga user to run the sudo command.
I have tried to run the commands suggested by the audit2allow utility, but this did not help.
Has anyone gone through the same issues and know how to solve this?
Thank you,
Jean
