FEDORA-EPEL-2019-9bad34efbb

bugfix update in Fedora EPEL 7 for nagios

Status: testing 7 months ago

Fix BZ#1674258 add explicite User and Group to systemctl startup.

Comments 12

This update has been submitted for testing by smooge.

This update has been pushed to testing.

Nagios runs for me, so I'd say #1674258 is fixed.

The package upgrade should have done a systemctl daemon-reload because the systemd unit changed. I had to do that manually because systemd complained that the unit changed on disk.

Also there is still the minor problem that /usr/lib/systemd/system/nagios.service is marked executable.

karma: +1 #1674258: +1

Actually, it doesn't work.

It seems that maybe the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1592594 caused another problem. Now I get these SELinux denials from httpd that I wasn't getting with nagios 4.3.4-5.el7:

SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/spool/nagios/status.dat.
type=AVC msg=audit(1551152845.860:270): avc:  denied  { getattr } for  pid=2176 comm="httpd" path="/var/spool/nagios/status.dat" dev="dm-3" ino=2114580 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file

SELinux is preventing /usr/sbin/httpd from read access on the file /var/spool/nagios/status.dat.
type=AVC msg=audit(1551152845.861:271): avc:  denied  { read } for  pid=2176 comm="httpd" name="status.dat" dev="dm-3" ino=2114580 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file

SELinux is preventing /usr/lib64/nagios/cgi-bin/statusjson.cgi from read access on the file /var/spool/nagios/objects.cache.
type=AVC msg=audit(1551152846.15:272): avc:  denied  { read } for  pid=2391 comm="statusjson.cgi" name="objects.cache" dev="dm-3" ino=2114578 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
karma: -1 #1674258: -1

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

Also, in syslog I get these messages, which maybe indicates that these files aren't properly registered with the package management system?

/usr/bin/sealert: failed to retrieve rpm info for /var/spool/nagios/status.dat
/usr/bin/sealert: failed to retrieve rpm info for /var/spool/nagios/objects.cache

Ahh actually, I think my three SELinux denials in comment https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-9bad34efbb#comment-900273 are bugs in selinux-policy packages. I'm running RHEL 7.4 (with EUS). If I upgrade selinux-policy and its dependencies to the RHEL 7.5 versions, these denials go away.

So, breaks nagios on RHEL 7.4: selinux-policy-3.13.1-166.el7_4.7.noarch Allows nagios to work on RHEL 7.4: selinux-policy-3.13.1-192.el7_5.3.noarch

So, I don't think you really need to do anything about these problems, @smooge, because we really ought to be upgrading from RHEL 7.4 anyway.

Nope, correction again. Even with selinux-policy-3.13.1-192.el7_5.3, still getting these two httpd denials for /var/spool/nagios/status.dat with nagios-4.4.3-4.el7:

SELinux is preventing /usr/sbin/httpd from read access on the file /var/spool/nagios/status.dat.
type=AVC msg=audit(1551157687.728:260): avc:  denied  { read } for  pid=1604 comm="httpd" name="status.dat" dev="dm-3" ino=2114574 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file

SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/spool/nagios/status.dat.
type=AVC msg=audit(1551157687.728:259): avc:  denied  { getattr } for  pid=1604 comm="httpd" path="/var/spool/nagios/status.dat" dev="dm-3" ino=2114574 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
karma: -1 #1674258: -1

Correcting my feedback. #1674258 seems to have been fixed, but there are new SELinux policy problems.

karma: -1 #1674258: +1

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

This update's test gating status has been changed to 'greenwave_failed'.

This update's test gating status has been changed to 'ignored'.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
testing
Test Gating
Submitted by
Update Type
bugfix
Update Severity
unspecified
Karma
-1
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Disabled
Autopush (time)
Disabled
Dates
submitted 7 months ago
in testing 7 months ago

Related Bugs 1

0+1 #1674258 Nagios will not start due to SELinux denials

Automated Test Results