/usr/lib64/python2.7/socket.py Permission Denied

robinjacob · September 22, 2021, 4:03pm

I wrote a python test plugin /usr/lib64/nagios/plugins/check_test.py . The file content is below which tries to read a file from another server and does some checks as shown below

#!/usr/bin/python

import re
import sys
import datetime
import paramiko
import select

client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect('10.11.12.13')
sftp_client = client.open_sftp()
remote_file = sftp_client.open('/data/var/test.log')
remote_file.prefetch()
try:
//Some checks and sets errorFound as 0 or 1
finally:
    remote_file.close()

if (errorFound):
       exit(1)
else:
       exit(0)

I am able to run this /usr/lib64/nagios/plugins/check_test.py directly from my linux CentOs without any problem. But when I load this script as a service on icinga . I see a warning against the service and below error

Error Below:

22/Sep/2021 Traceback (most recent call last): File “/usr/lib64/nagios/plugins/check_test.py”, line 16, in client.connect(‘10.34.187.17’) File “/usr/lib/python2.7/site-packages/paramiko/client.py”, line 305, in connect retry_on_signal(lambda: sock.connect(addr)) File “/usr/lib/python2.7/site-packages/paramiko/util.py”, line 269, in retry_on_signal return function() File “/usr/lib/python2.7/site-packages/paramiko/client.py”, line 305, in retry_on_signal(lambda: sock.connect(addr)) File “/usr/lib64/python2.7/socket.py”, line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 13] Permission denied

I have set full permission for below files listed in error above but no luck
/usr/lib64/python2.7/socket.py
/usr/lib/python2.7/site-packages/paramiko/client.py

Anything I am missing here?

About Details:
Icinga Web 2 Version
2.9.3
Git commit
c757a17530c326c7d6daebd6171486cb8167a8a1
PHP Version
7.3.29
Git commit date
2021-08-10
Copyright

leeclemens · September 22, 2021, 9:35pm

When you tested manually, did you use the icinga user? Can you post the output from sestatus?

robinjacob · September 22, 2021, 9:54pm

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

I just execute the py script manually after I logged in with my username. I did not use icinga user

Also I executed
sudo setenforce 0 and now the the sestatus current mod is permissive. I get a new errr now on the service in icinga as shown below

22/Sep/2021 Traceback (most recent call last): File “/usr/lib64/nagios/plugins/check_test.py”, line 16, in client.connect(‘10.34.187.17’) File “/usr/lib/python2.7/site-packages/paramiko/client.py”, line 380, in connect look_for_keys, gss_auth, gss_kex, gss_deleg_creds, gss_host) File “/usr/lib/python2.7/site-packages/paramiko/client.py”, line 622, in _auth raise SSHException(‘No authentication methods available’) paramiko.ssh_exception.SSHException: No authentication methods available

log1c · September 23, 2021, 6:31am

Try running the script with sudo -u icinga to check stuff that will be run by Icinga.
Also: Is the icinga2-selinux packages installed?

Also also: please use code tags to format code snippets, this makes them easier to read

robinjacob · September 24, 2021, 2:31am

Its working fine now for me I added icinga user ssh key to the remote server where I wanted to ssh and it works fine