Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1322666
Summary: | Selinux prevents checks from running | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | IanB <bugzilla.blk> |
Component: | nagios | Assignee: | Keiran Smith <affix> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | epel7 | CC: | affix, jose.p.oliveira.oss, lemenkov, linux, mike.willis, nduffy, ondrejj, shawn.starr, smooge, s, swilkerson, ts |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | nagios-4.2.4-2.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-02-22 14:50:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
IanB
2016-03-31 03:54:23 UTC
nagios-4.2.4-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0f3297a19b nagios-4.2.4-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0f3297a19b nagios-4.2.4-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. I am seeing this problem on freshly installed CentOS 7 servers with nagios-4.2.4-2.el7.x86_64 In /var/log/nagios/nagios.log [1497967111] Unable to send check for host 'localhost' to worker (ret=-2) [1497967118] Unable to run check for service 'PING' on host 'localhost' [1497967134] Unable to send check for host 'foo' to worker (ret=-2) [1497967171] Unable to send check for host 'localhost' to worker (ret=-2) [1497967178] Unable to run check for service 'PING' on host 'localhost' [1497967194] Unable to send check for host 'foo' to worker (ret=-2) In /var/log/messages Jun 20 15:17:13 new python: SELinux is preventing /usr/sbin/nagios from connectto access on the unix_stream_socket /var/spool/nagios/cmd/nagios.qh.#012#012***** Plugin catchall_boolean (89.3 confidence) suggests ******************#012#012If you want to allow daemons to enable cluster mode#012Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean.#012#012Do#012setsebool -P daemons_enable_cluster_mode 1#012#012***** Plugin catchall (11.6 confidence) suggests **************************#012#012If you believe that nagios should be allowed connectto access on the nagios.qh unix_stream_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'nagios' --raw | audit2allow -M my-nagios#012# semodule -i my-nagios.pp#012 Older CentOS 7 servers running nagios that were set up when EPEL included nagios nagios-3.5.1-1.el7.x86_64 and have since been updated to nagios-4.2.4-2.el7.x86_64 work fine. Those have an selinux module called nagios-socket which is not present on freshly installed machines. On the older severs the file is located at /etc/selinux/targeted/modules/active/modules/nagios-socket.pp If does not belong to an rpm. On a server which was originally installed with nagios-3.5.1-1.el7.x86_64 [root@old ~]# sesearch -ACS -t nagios_t | grep unix_stream_soc | grep nagios_t | grep connectto allow nagios_t nagios_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto } ; [root@old ~]# On a server installed today [root@new ~]# sesearch -ACS -t nagios_t | grep unix_stream_soc | grep nagios_t | grep connectto [root@new ~]# Copying nagios-socket.pp to and loading it on freshly installed server makes nagios checks work. I can't work out where nagios-socket.pp comes from. I have not been able to find older versions of EPEL nagios rpm to examine to see if they provided it in a manner which caused it not to be removed on package upgrade. Try: yum -y install nagios-selinux semodule -i /usr/share/selinux/packages/nagios/nagios_epel.pp |