The package upgrade should have done a systemctl daemon-reload because the systemd unit changed. I had to do that manually because systemd complained that the unit changed on disk.
Also there is still the minor problem that /usr/lib/systemd/system/nagios.service is marked executable.
BZ#1674258 Nagios will not start due to SELinux denials
Also, in syslog I get these messages, which maybe indicates that these files aren't properly registered with the package management system?
/usr/bin/sealert: failed to retrieve rpm info for /var/spool/nagios/status.dat
/usr/bin/sealert: failed to retrieve rpm info for /var/spool/nagios/objects.cache
Nope, correction again. Even with selinux-policy-3.13.1-192.el7_5.3, still getting these two httpd denials for /var/spool/nagios/status.dat with nagios-4.4.3-4.el7:
SELinux is preventing /usr/sbin/httpd from read access on the file /var/spool/nagios/status.dat.
type=AVC msg=audit(1551157687.728:260): avc: denied { read } for pid=1604 comm="httpd" name="status.dat" dev="dm-3" ino=2114574 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/spool/nagios/status.dat.
type=AVC msg=audit(1551157687.728:259): avc: denied { getattr } for pid=1604 comm="httpd" path="/var/spool/nagios/status.dat" dev="dm-3" ino=2114574 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_spool_t:s0 tclass=file
BZ#1674258 Nagios will not start due to SELinux denials
This update has been submitted for testing by smooge.
This update has been pushed to testing.
Nagios runs for me, so I'd say #1674258 is fixed.
The package upgrade should have done a systemctl daemon-reload because the systemd unit changed. I had to do that manually because systemd complained that the unit changed on disk.
Also there is still the minor problem that /usr/lib/systemd/system/nagios.service is marked executable.
Actually, it doesn't work.
It seems that maybe the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1592594 caused another problem. Now I get these SELinux denials from httpd that I wasn't getting with nagios 4.3.4-5.el7:
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
Also, in syslog I get these messages, which maybe indicates that these files aren't properly registered with the package management system?
Ahh actually, I think my three SELinux denials in comment https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-9bad34efbb#comment-900273 are bugs in selinux-policy packages. I'm running RHEL 7.4 (with EUS). If I upgrade selinux-policy and its dependencies to the RHEL 7.5 versions, these denials go away.
So, breaks nagios on RHEL 7.4: selinux-policy-3.13.1-166.el7_4.7.noarch Allows nagios to work on RHEL 7.4: selinux-policy-3.13.1-192.el7_5.3.noarch
So, I don't think you really need to do anything about these problems, @smooge, because we really ought to be upgrading from RHEL 7.4 anyway.
Nope, correction again. Even with selinux-policy-3.13.1-192.el7_5.3, still getting these two httpd denials for /var/spool/nagios/status.dat with nagios-4.4.3-4.el7:
Correcting my feedback. #1674258 seems to have been fixed, but there are new SELinux policy problems.
This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
This update's test gating status has been changed to 'greenwave_failed'.
This update's test gating status has been changed to 'ignored'.
This update's test gating status has been changed to 'greenwave_failed'.
This update's test gating status has been changed to 'ignored'.
This update has been obsoleted by nagios-4.4.5-4.el7.