FEDORA-EPEL-2017-328a23d1ed created by smooge 2 years ago for Fedora EPEL 6
stable

Added fix for selinux from Patrick Uiterwijk


Update to latest in git


Updated from 4.3.1 maint to 4.3.2


We find out that RHEL-6 does not like non-UTF so removed German translation


Major update to Nagios to address outstanding Security needs.


nagios-4.0.8-1.fc21 nagios-4.0.8-1.fc22 nagios-4.0.8-1.el6 nagios-4.0.8-1.el7 nagios-4.0.8-1.fc23

  • update to 4.0.8
This update has been submitted for testing by smooge. 2 years ago
This update has obsoleted [nagios-4.3.2-3.el6](https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-16880697fe), and has inherited its bugs and notes. 2 years ago
User Icon devhen commented & provided feedback 2 years ago

I'd love to test this out and provide karma but I'm a little weary because I don't currently have a nagios install running on a development or test server where I would feel comfortable doing a major-version upgrade.

Do you know if any changes to an existing nagios config will be necessary for moving from the current EL6 version (3.5.1) to this version?

Thanks for doing these updates!!

Cheers

User Icon smooge commented & provided feedback 2 years ago

What I did to test in the end was to create a small virtual machine and install the packages from the existing setup. I then copied over /etc/nagios. I updated to the newest nagios and ran a nagios -v /etc/nagios/nagios.cfg to see what broke. For our setup we had customized things in a way which 'worked' in previous versions but didn't in the new version. I fixed those up and then edited my nagios.cfg differences into the nagios.cfg.rpmnew so I got the additional configs that the new version wanted.

This update has been pushed to testing. 2 years ago
This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes 2 years ago
This update has been submitted for stable by smooge. 2 years ago
This update has been pushed to stable. 2 years ago
User Icon devhen commented & provided feedback 2 years ago
karma

So this seems to be working perfectly for me and I haven't had to change any of my configs. I didn't get any errors on service nagios restart and things seem to be working as before. Are there any particular configuration settings I should look at?

Thanks for this update!!!!!

BZ#1005974 nagios-4.3.2 is available
BZ#1201462 Update Nagios package to at least -5
BZ#1075867 Upgrade to Nagios 4.x
User Icon devhen commented & provided feedback 2 years ago

Hey smooge. Weird one here. I have 2 virtually identical machines running this version of nagios on Cent 6 and one of them has a strange problem where I cannot commit any changes through the nagios web admin. For exmple, disabling notifications or disabling checks of a service. When I click the commit button it spins and spins for a long time and then eventually gives a "Gateway Time-out" error. I've tried deleting retention.dat and rebooting. Any ideas? Very strange that my other nagios box does not have this problem.

User Icon devhen commented & provided feedback 2 years ago

Turns out its not just committing changes, nothing is working. No checks have been performed in the last 2 days. The only thing that I can see that happened that day are CentOS 6 samba updates. Downgrading those updates doesn't seem to help.

User Icon smooge commented & provided feedback 2 years ago

@devhen OK time to see what is different between the systems. Does one have selinux running and the other one does not? Does one have the nagios_epel6 selinux policy and the other one does not?

User Icon devhen commented & provided feedback 2 years ago

@smooge So I found two different problems. For one, my /etc/nagios/nagios.cfg had the pid file set to /var/run/nagios.pid but it should now be /var/run/nagios/nagios.pid. Secondly, starting nagios with service nagios start failed with 2 selinux errors:

Sep 28 12:09:06 localhost setroubleshoot: SELinux is preventing /usr/sbin/nagios from write access on the file /tmp/.configtest.LZ74T8iY. For complete SELinux messages. run sealert -l 57464946-0362-40f3-a585-5d79d4b17459 Sep 28 12:09:06 localhost setroubleshoot: SELinux is preventing /usr/sbin/nagios from using the chown capability. For complete SELinux messages. run sealert -l 585086e4-e53d-4a8a-85f8-4af5bf7a852f

So I ran:

grep nagios /var/log/audit/audit.log | audit2allow -M nagios-chown semodule -i nagios-chown.pp

Which solved that problem. But now SELinux is blocking all attempts to query my monitored servers. Log messages look like this:

Sep 28 12:18:21 localhost nagios: Unable to run check for service 'Memory' on host 'xxxxx'

And SELinux audit logs look like this:

type=AVC msg=audit(1506622404.225:6960996): avc: denied { execute_no_trans } for pid=16769 comm="nagios" path="/usr/sbin/nagios" dev=cciss!c0d0p3 ino=1057038 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:nagios_exec_t:s0 tclass=file

Any ideas? Strange that now I'm having SELinux errors when I was getting them before.

Thanks

User Icon devhen commented & provided feedback 2 years ago

@smooge If I stop nagios and start it manually with the command /usr/sbin/nagios -d /etc/nagios/nagios.cfg rather than starting it with service nagios start, then I don't get the SELinux errors and everything seems to work fine.

User Icon smooge commented & provided feedback 2 years ago

OK I found a bug in various things but 4.3.4-4 works on service nagios start/stop without selinux problems.


Please login to add feedback.

Metadata
Type
security
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
BZ#469320 CVE-2008-4796 snoopy: command execution via shell metacharacters
0
0
BZ#958002 CVE-2013-4214 Nagios core: html/rss-newsfeed.php insecure temporary file usage
0
0
BZ#958305 CVE-2008-4796 snoopy: command execution via shell metacharacters [epel-6]
0
0
BZ#994780 CVE-2013-4214 nagios: Nagios core: html/rss-newsfeed.php insecure temporary file usage [epel-6]
0
0
BZ#1005974 nagios-4.3.2 is available
0
0
BZ#1036331 [cosmetic] Double slash in Nagios' web interface URL
0
0
BZ#1046113 CVE-2013-7108 CVE-2013-7205 nagios: denial of service due to off-by-one flaw in process_cgivars()
0
0
BZ#1046333 CVE-2013-7108 CVE-2013-7205 nagios: denial of service due to off-by-one flaw in process_cgivars() [fedora-all]
0
0
BZ#1046335 CVE-2013-7108 CVE-2013-7205 nagios: denial of service due to off-by-one flaw in process_cgivars() [epel-6]
0
0
BZ#1066580 CVE-2014-1878 nagios: possible buffer overflows in cmd.cgi [fedora-all]
0
0
BZ#1066582 CVE-2014-1878 nagios: possible buffer overflows in cmd.cgi [epel-6]
0
0
BZ#1074611 Consider using Nagios 4.x branch for EPEL7
0
0
BZ#1075867 Upgrade to Nagios 4.x
0
0
BZ#1083003 Nagios SIGSEGV on (internal to nagios) scheduled log rotate if livestatus module is loaded and a downtime is set
0
0
BZ#1084934 Unable to reload nagios under systemd
0
0
BZ#1111720 use_embedded_perl_implicitly=1 by default is user-hostile
0
0
BZ#1121499 CVE-2014-5009 CVE-2014-5008 CVE-2008-7313 nagios: snoopy: incomplete fixes for command execution flaws [fedora-all]
0
0
BZ#1121500 CVE-2014-5009 CVE-2014-5008 CVE-2008-7313 nagios: snoopy: incomplete fixes for command execution flaws [epel-all]
0
0
BZ#1189183 Does not handle invalid hostgroup_member correctly
0
0
BZ#1201462 Update Nagios package to at least -5
0
0
BZ#1201849 Support an environment file in the systemd unit file
0
0
BZ#1218320 Install the Nagios checkresults directory with group-writable permissions
0
0
BZ#1402871 CVE-2016-9566 nagios: Privilege escalation issue [epel-all]
0
0
BZ#1426816 Nagios RPM 4.2.4 forgot to reload systemd in postinstall
0
0
BZ#1428111 Broken links in the View Trends and the View Histogram menu
0
0

Automated Test Results