FEDORA-EPEL-2019-9bad34efbb created by smooge 2 years ago for Fedora EPEL 7
obsolete

Fix BZ#1674258 add explicite User and Group to systemctl startup.

This update has been submitted for testing by smooge.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon kenyon commented & provided feedback 2 years ago
karma

Nagios runs for me, so I'd say #1674258 is fixed.

The package upgrade should have done a systemctl daemon-reload because the systemd unit changed. I had to do that manually because systemd complained that the unit changed on disk.

Also there is still the minor problem that /usr/lib/systemd/system/nagios.service is marked executable.

BZ#1674258 Nagios will not start due to SELinux denials
User Icon kenyon commented & provided feedback 2 years ago
karma

Actually, it doesn't work.

It seems that maybe the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1592594 caused another problem. Now I get these SELinux denials from httpd that I wasn't getting with nagios 4.3.4-5.el7:

SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/spool/nagios/status.dat.
type=AVC msg=audit(1551152845.860:270): avc:  denied  { getattr } for  pid=2176 comm="httpd" path="/var/spool/nagios/status.dat" dev="dm-3" ino=2114580 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file

SELinux is preventing /usr/sbin/httpd from read access on the file /var/spool/nagios/status.dat.
type=AVC msg=audit(1551152845.861:271): avc:  denied  { read } for  pid=2176 comm="httpd" name="status.dat" dev="dm-3" ino=2114580 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file

SELinux is preventing /usr/lib64/nagios/cgi-bin/statusjson.cgi from read access on the file /var/spool/nagios/objects.cache.
type=AVC msg=audit(1551152846.15:272): avc:  denied  { read } for  pid=2391 comm="statusjson.cgi" name="objects.cache" dev="dm-3" ino=2114578 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
BZ#1674258 Nagios will not start due to SELinux denials

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 years ago
User Icon kenyon commented & provided feedback 2 years ago

Also, in syslog I get these messages, which maybe indicates that these files aren't properly registered with the package management system?

/usr/bin/sealert: failed to retrieve rpm info for /var/spool/nagios/status.dat
/usr/bin/sealert: failed to retrieve rpm info for /var/spool/nagios/objects.cache
User Icon kenyon commented & provided feedback 2 years ago

Ahh actually, I think my three SELinux denials in comment https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-9bad34efbb#comment-900273 are bugs in selinux-policy packages. I'm running RHEL 7.4 (with EUS). If I upgrade selinux-policy and its dependencies to the RHEL 7.5 versions, these denials go away.

So, breaks nagios on RHEL 7.4: selinux-policy-3.13.1-166.el7_4.7.noarch Allows nagios to work on RHEL 7.4: selinux-policy-3.13.1-192.el7_5.3.noarch

So, I don't think you really need to do anything about these problems, @smooge, because we really ought to be upgrading from RHEL 7.4 anyway.

User Icon kenyon commented & provided feedback 2 years ago
karma

Nope, correction again. Even with selinux-policy-3.13.1-192.el7_5.3, still getting these two httpd denials for /var/spool/nagios/status.dat with nagios-4.4.3-4.el7:

SELinux is preventing /usr/sbin/httpd from read access on the file /var/spool/nagios/status.dat.
type=AVC msg=audit(1551157687.728:260): avc:  denied  { read } for  pid=1604 comm="httpd" name="status.dat" dev="dm-3" ino=2114574 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file

SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/spool/nagios/status.dat.
type=AVC msg=audit(1551157687.728:259): avc:  denied  { getattr } for  pid=1604 comm="httpd" path="/var/spool/nagios/status.dat" dev="dm-3" ino=2114574 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
BZ#1674258 Nagios will not start due to SELinux denials
User Icon kenyon commented & provided feedback 2 years ago
karma

Correcting my feedback. #1674258 seems to have been fixed, but there are new SELinux policy problems.

BZ#1674258 Nagios will not start due to SELinux denials

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago

This update's test gating status has been changed to 'greenwave_failed'.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago

This update's test gating status has been changed to 'greenwave_failed'.

8 months ago

This update's test gating status has been changed to 'ignored'.

8 months ago

This update has been obsoleted by nagios-4.4.5-4.el7.

8 months ago

Please login to add feedback.

Metadata
Type
bugfix
Karma
-1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
BZ#1674258 Nagios will not start due to SELinux denials
0
1

Automated Test Results