1322666 – Selinux prevents checks from running

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1322666 - Selinux prevents checks from running

Summary: Selinux prevents checks from running

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	nagios
Sub Component:
Version:	epel7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Keiran Smith
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-31 03:54 UTC by IanB
Modified:	2017-09-01 07:53 UTC (History)
CC List:	12 users (show)
Fixed In Version:	nagios-4.2.4-2.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-22 14:50:17 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description IanB 2016-03-31 03:54:23 UTC

Description of problem:

Nagios checks fail to run with error 'Unable to run check for service x on host y' or 'Unable to send check for host y to worker' appearing in /var/log/nagios/nagios.log

/var/log/messages shows the following SELinux message:

Mar 31 03:37:15 nagios setroubleshoot: SELinux is preventing /usr/sbin/nagios from connectto access on the unix_stream_socket /var/spool/nagios/cmd/nagios.qh. For complete SELinux messages. run sealert -l c6ea9f1c-bb0f-460e-b257-60ee39c6be43
Mar 31 03:37:15 nagios python: SELinux is preventing /usr/sbin/nagios from connectto access on the unix_stream_socket /var/spool/nagios/cmd/nagios.qh.#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow daemons to enable cluster mode#012Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean.#012You can read 'None' man page for more details.#012Do#012setsebool -P daemons_enable_cluster_mode 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that nagios should be allowed connectto access on the nagios.qh unix_stream_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep nagios /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012

I also see in the process listing defunct processes e.g.:

nagios     808     1  0 03:37 ?        00:00:00 /usr/sbin/nagios -d /etc/nagios/nagios.cfg
nagios     814   808  0 03:37 ?        00:00:00 [nagios] <defunct>
nagios     815   808  0 03:37 ?        00:00:00 [nagios] <defunct>
nagios     816   808  0 03:37 ?        00:00:00 [nagios] <defunct>
nagios     817   808  0 03:37 ?        00:00:00 [nagios] <defunct>



Version-Release number of selected component (if applicable):

nagios-4.0.8-2.el7.x86_64
Centos7


How reproducible:

always

Expected results:

SELinux policy should be included with package to allow checks to run

Additional info:

Switching SELinux from 'enforcing' to 'permissive' and restarting Nagios resolves the issue.

Comment 1 Fedora Update System 2017-02-07 23:46:48 UTC

nagios-4.2.4-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0f3297a19b

Comment 2 Fedora Update System 2017-02-09 21:17:46 UTC

nagios-4.2.4-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0f3297a19b

Comment 3 Fedora Update System 2017-02-22 14:50:17 UTC

nagios-4.2.4-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Mike Willis 2017-06-20 14:53:17 UTC


I am seeing this problem on freshly installed CentOS 7 servers with nagios-4.2.4-2.el7.x86_64 


In /var/log/nagios/nagios.log

[1497967111] Unable to send check for host 'localhost' to worker (ret=-2)
[1497967118] Unable to run check for service 'PING' on host 'localhost'
[1497967134] Unable to send check for host 'foo' to worker (ret=-2)
[1497967171] Unable to send check for host 'localhost' to worker (ret=-2)
[1497967178] Unable to run check for service 'PING' on host 'localhost'
[1497967194] Unable to send check for host 'foo' to worker (ret=-2)


In /var/log/messages

Jun 20 15:17:13 new python: SELinux is preventing /usr/sbin/nagios from connectto access on the unix_stream_socket /var/spool/nagios/cmd/nagios.qh.#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow daemons to enable cluster mode#012Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean.#012#012Do#012setsebool -P daemons_enable_cluster_mode 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that nagios should be allowed connectto access on the nagios.qh unix_stream_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'nagios' --raw | audit2allow -M my-nagios#012# semodule -i my-nagios.pp#012


Older CentOS 7 servers running nagios that were set up when EPEL included nagios nagios-3.5.1-1.el7.x86_64 and have since been updated to nagios-4.2.4-2.el7.x86_64 work fine. Those have an selinux module called nagios-socket which is not present on freshly installed machines. On the older severs the file is located at

/etc/selinux/targeted/modules/active/modules/nagios-socket.pp

If does not belong to an rpm.


On a server which was originally installed with nagios-3.5.1-1.el7.x86_64 

[root@old ~]# sesearch -ACS -t nagios_t | grep unix_stream_soc | grep  nagios_t |  grep connectto
   allow nagios_t nagios_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto } ; 
[root@old ~]# 

On a server installed today

[root@new ~]# sesearch -ACS -t nagios_t | grep unix_stream_soc | grep  nagios_t |  grep connectto
[root@new ~]#


Copying nagios-socket.pp to and loading it on freshly installed server makes nagios checks work.

I can't work out where nagios-socket.pp comes from. I have not been able to find older versions of EPEL nagios rpm to examine to see if they provided it in a manner which caused it not to be removed on package upgrade.

Comment 5 Tadas Slotkus 2017-09-01 07:53:12 UTC

Try:
yum -y install nagios-selinux
semodule -i /usr/share/selinux/packages/nagios/nagios_epel.pp

Note You need to log in before you can comment on or make changes to this bug.