Bug should be fixed in epel-testing for RHEL7. It may not be fixed in RHEL6 which I am working on to confirm.

I've tried packages from epel-testing and the module still won't load.

[root@konan:production: ~]# rpm -qa | grep nrpe
nagios-plugins-nrpe-3.1.1-6.el7.x86_64
nrpe-selinux-3.1.1-6.el7.x86_64
nrpe-3.1.1-6.el7.x86_64
[root@konan:production: ~]# lsmod | grep nrpe
[root@konan:production: ~]# semodule -i /usr/share/selinux/packages/nrpe/nrpe.pp 
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/bin/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/nagios/nrpe\.cfg.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/rc\.d/init\.d/nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/lib/nagios/plugins/check_nrpe.
/etc/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
semodule:  Failed!
[root@konan:production: ~]# 


I've tried the packages on a CentOS install that doesn't have any of our site specific config and the module doesn't load on that either, same error messages.

nrpe-3.2.0-6.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-030b96c51c

nrpe-3.2.0-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-bb989d629b

nrpe-3.2.0-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-030b96c51c

[root@konan:production: ~]# rpm -qa | grep nrpe
nrpe-selinux-3.2.0-6.el7.x86_64
nrpe-3.2.0-6.el7.x86_64
nagios-plugins-nrpe-3.2.0-6.el7.x86_64
[root@konan:production: ~]# semodule -l | grep nrpe
nrpe_epel	1.0
[root@konan:production: ~]#

Sadly this hasn't made any difference, the SELinux messages continue as before:

Aug  8 11:38:54 konan setroubleshoot: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown. For complete SELinux messages. run sealert -l 8cd70288-d065-4f54-aa37-c9dd8457b0f8
Aug  8 11:38:54 konan python: SELinux is preventing /usr/lib64/nagios/plugins/check_nrpe from create access on the unix_dgram_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that check_nrpe should be allowed create access on the Unknown unix_dgram_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'check_nrpe' --raw | audit2allow -M my-checknrpe#012# semodule -i my-checknrpe.pp#012



I had to load the nrpe_epel module manually. It didn't get loaded as a result of installing the rpm because the postinstall scriptlet is written to only install the module on "Fi(r)st install" and I already had nrpe-selinux installed. The module needs to get installed on upgrade as well.


I don't think the way the postinstall scriplet is constructed makes sense

if [ "$1" -le "1" ]; then # Fist install
   semodule -i /usr/share/selinux/packages/nrpe.pp 2>/dev/null || :
   fixfiles -R nrpe restore || :

systemctl daemon-reload >/dev/null 2>&1 || :
if [ $1 -ge 1 ] ; then
        # Package upgrade, not uninstall
        systemctl try-restart nrpe.service >/dev/null 2>&1 || :
fi

fi


The check for whether $1 is greater than 1 is inside the the condition for if $1 is less than 1. How's "systemctl try-restart" ever going to get called?
The preuninstall scriptlet is constructed the same way.

I think I've found the solution to the SELinux messages.

I realised there's now a nagios-selinux package, as talked about in 

https://bugzilla.redhat.com/show_bug.cgi?id=1475447

The newest version of that I could find for CentOS 7 is nagios-selinux-4.3.2-8.el7.x86_64.rpm 

I didn't want to mess with the nagios package that's installed, nagios-4.3.2-5.el7.x86_64, so I force installed nagios-selinux-4.3.2-8.el7.x86_64.rpm then manually installed the nagios_epel module. (The path in the postinstall scriplet is wrong, which I see is already fixed in later version of the package for EPEL6 but I guess not for 7). All the SELinux messages stopped. I removed the nagios_epel module and the messages started. Loaded the module again, the messages stopped again.

OK the second part is because the main nagios/nrpe is in one policy in the original selinux policy, but these are now different policies shipped with different RPMS. 

The first part is completely me not doing my job as maintainer it would seem. Thank you for catching that. I will fix both selinux rpms as they have the same code in them.

nrpe-3.2.0-6.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

nrpe-3.2.0-6.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.