Description of problem: ======================= Nagios installation should enable nagios_run_sudo Selinux boolean on each monitored node including Nagios server itself.
Setting this on the gluster node, still fails with issues running nrpe commands. Stanislav, can you confirm setting the boolean + updated policy worked for you?
(In reply to Sahina Bose from comment #1) > Setting this on the gluster node, still fails with issues running nrpe > commands. > Stanislav, can you confirm setting the boolean + updated policy worked for > you? Oh! it worked. We can do several things: * sync on IRC tomorrow * you can give me machine details for me to look * or I can prepare environment for you to check Let me know.
(In reply to Stanislav Graf from comment #2) > (In reply to Sahina Bose from comment #1) > > Setting this on the gluster node, still fails with issues running nrpe > > commands. > > Stanislav, can you confirm setting the boolean + updated policy worked for > > you? > > Oh! it worked. We can do several things: > * sync on IRC tomorrow > * you can give me machine details for me to look > * or I can prepare environment for you to check > > Let me know. I'll provide my setup to Ramesh and Sahina.
Thanks Stanislav for the machine setup. I will fix the nagios plugins rpms to enable nagios_run_sudo on as part of rpm install.
On RHEL7 there is additional boolean named nagios_run_pnp4nagios = there are both nagios_run_sudo and nagios_run_pnp4nagios. On RHEL6 there is only nagios_run_sudo. AVCs from my el7 machine: ~~~ selinux-policy-3.13.1-25.el7.noarch #============= nagios_t ============== #!!!! This avc can be allowed using the boolean 'nagios_run_pnp4nagios' allow nagios_t nagios_log_t:file execute; allow nagios_t nagios_var_lib_t:dir create; ~~~ Should we be allowing this one too on el7?
Moving back to MODIFIED as the build is not ready but errata has moved the bugs to ON_QA.
We are setting the sebool nagios_run_sudo as part of the rpm install. It will happen even when the selinux is in permissive or disabled. So after upgrade if u set selinux into permissive then everything should work properly.
can some one confirm if the fixed in version is right? I think the fix should be in gluster-nagios-addons and not in nagios-server-addons.
It's fixed in both - gluster-nagios-addons-0.2.4-2.el6rhs, gluster-nagios-addons-0.2.4-2.el7rhgs nagios-server-addons-0.2.1-5.el7rhgs, nagios-server-addons-0.2.1-3.el6rhs
Moving this bug back because i do not see that the Boolean is set correctly. getsebool nagio_run_sudo still shows the value to be off. This might be due to the same issue as metioned in https://bugzilla.redhat.com/show_bug.cgi?id=1237065. But in the bug above i do see that when the boolean sets to fail there is a error. But for nagios i do not see any. can some help me understand this? Installing samba-vfs-glusterfs-4.1.17-7.el6rhs.x86_64 Cannot set persistent booleans without managed policy. warning: %post(samba-vfs-glusterfs-0:4.1.17-7.el6rhs.x86_64) scriptlet failed, exit status 255
(In reply to RamaKasturi from comment #19) > Moving this bug back because i do not see that the Boolean is set correctly. > > getsebool nagio_run_sudo still shows the value to be off. > > This might be due to the same issue as metioned in > https://bugzilla.redhat.com/show_bug.cgi?id=1237065. > I have tested it with rpm install use cases and it works correctly. If the ISO installation doesn't set the boolean then its likely because of the issue mentioned in bz#1237065. We have to change the order during ISO installation so that nagios packages are getting installed after installing selinux policies. > But in the bug above i do see that when the boolean sets to fail there is a > error. But for nagios i do not see any. can some help me understand this? > Currently output of 'setsebool' command is not shown in the installation log. It is re directed to /dev/null. May be we can fix it separately with another bug. > Installing samba-vfs-glusterfs-4.1.17-7.el6rhs.x86_64 > Cannot set persistent booleans without managed policy. > warning: %post(samba-vfs-glusterfs-0:4.1.17-7.el6rhs.x86_64) scriptlet > failed, exit status 255
As per the latest updates from bz#1237065, we have to add the required selinux package dependencies in gluster-nagios-addons and nagos-server-addons. It needs to be done for both RHEL6 and RHEL7. Prasanth: Can provide the RHEL-6 and RHEL-7 package version for selinux-policy-targeted and selinux-policy which has the following sebools for nagios 'nagios_run_sudo', 'nagios_run_pnp4nagios' and 'logging_syslogd_run_nagios_plugins'.
(In reply to Ramesh N from comment #21) > As per the latest updates from bz#1237065, we have to add the required > selinux package dependencies in gluster-nagios-addons and > nagos-server-addons. It needs to be done for both RHEL6 and RHEL7. > > Prasanth: Can provide the RHEL-6 and RHEL-7 package version for > selinux-policy-targeted and selinux-policy which has the following sebools > for nagios 'nagios_run_sudo', 'nagios_run_pnp4nagios' and > 'logging_syslogd_run_nagios_plugins'. Ramesh, For RHEL-6 , you can take this build: https://brewweb.devel.redhat.com/buildinfo?buildID=443534 For RHEL-7, I would recommend you to check and confirm with mgrepel (mgrepl) to get the correct build which has all your required fixes. AFAIK, we have got only 1 RHEL-7.1.Z build [1] till date and I'm not really sure, if that has all the fixes that we want. [1] https://brewweb.devel.redhat.com/buildinfo?buildID=441837
Following sebooleans are enabled as part of this bug : nagios_run_sudo nagios_run_pnp4nagios This may not work in case of ISO install or upgrading from a system where old selinux-policy was installed. This issue is being tracked with following bugs: For RHEL-6 bz#1240242 bz#1240235 For RHEL-7 bz#1240237 bz#1240240 We need one more sebool 'logging_syslogd_run_nagios_plugins' to be enabled on the rhgs node to enable nagios monitoring. This is being tracked with the bz#1235409 Moving this to ON_QA, please watch out for the updates on above mentioned bugs for the respective issues.
Thanks for Comment 23. Tested: nagios-server-addons-0.2.1-4.el6rhs.noarch * sets nagios_run_sudo nagios-server-addons-0.2.1-5.el7rhgs.x86_64 * sets nagios_run_sudo, nagios_run_pnp4nagios gluster-nagios-addons-0.2.4-4.el6rhs.x86_64 * sets nagios_run_sudo, logging_syslogd_run_nagios_plugins (Bug 1235409) gluster-nagios-addons-0.2.4-2.el7rhgs.x86_64 * sets nagios_run_sudo * missing logging_syslogd_run_nagios_plugins (Bug 1235409) Installation and upgrade ensure booleans are set. Uninstall disables booleans. --> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-1494.html