SELinux and Icinga
Today I ran into an SELinux problem when installing icinga. I followed their documentation "Adjusting the SELinux settings". However my cgis still would not run. When I ran,
I received the following output,
I had to create a policy module and build it using the following commands...
I removed icinga-cgi.pp and modified icinga-cgi.te to be the following.
I then proceeded to compile the module and install it.
--------------------
I then had to compile a second module to get "reschedule next service check" working.
Module Source.
Compile and install module,
Code:
cat /var/log/audit/audit.log | audit2allow -v
Code:
#============= httpd_sys_script_t ==============
# src="httpd_sys_script_t" tgt="initrc_tmp_t" class="file", perms="{ read getattr open }"
# comm="tac.cgi" exe="" path=""
allow httpd_sys_script_t initrc_tmp_t:file { read getattr open };
Code:
cd /usr/local/src mkdir icinga-selinux cd icinga-selinux audit2allow -M icinga-cgi -l -i /var/log/audit/audit.log
Code:
module icinga-cgi 1.0;
require {
type initrc_tmp_t;
type httpd_sys_script_t;
class file { read write getattr open };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t initrc_tmp_t:file { read getattr open };
Code:
checkmodule -M -m -o icinga-cgi.mod icinga-cgi.te semodule_package -o icinga-cgi.pp -m icinga-cgi.mod semodule -i icinga-cgi.pp
I then had to compile a second module to get "reschedule next service check" working.
Code:
audit2allow -M icinga-schedule-cmd -l -i /var/log/audit/audit.log
Code:
module icinga-schedule-cmd 1.0;
require {
type httpd_sys_script_t;
type usr_t;
class fifo_file getattr;
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t usr_t:fifo_file getattr;
Code:
checkmodule -M -m -o icinga-schedule-cmd.mod icinga-schedule-cmd.te semodule_package -o icinga-schedule-cmd.pp -m icinga-schedule-cmd.mod semodule -i icinga-schedule-cmd.pp
Total Comments 3
Comments
-
Here's the now recommended way of managing file_contexts.local using the semanage utility.
Code:semanage fcontext -a -t httpd_sys_script_exec_t '/usr/local/icinga/sbin(/.*)?' semanage fcontext -a -t httpd_sys_content_t '/usr/local/icinga/share(/.*)?' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/local/icinga/var(/.*)?'
Warning: The rest of the comment is the old method of manually editing file_contexts.local. I left it for documentation purposes however you should execute the semanage commands I outlined above.
I added the following lines to /etc/selinux/targeted/contexts/files/file_contexts.local
After that submitting cmd.cgi (reschedule command checks) worked again.Code:/usr/local/icinga/sbin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/icinga/share(/.*)? system_u:object_r:httpd_sys_content_t:s0 /usr/local/icinga/var(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0
Posted 08-23-2012 at 11:13 PM by sag47 
Updated 06-18-2013 at 09:14 AM by sag47 -
I forgot to mention but in my previous comment once I created the security contexts for Icinga I used the restorecon command on those three folders so that they work with SELinux.
Code:restorecon -R /usr/local/icinga/sbin restorecon -R /usr/local/icinga/share restorecon -R /usr/local/icinga/var
Posted 01-13-2013 at 10:57 PM by sag47
-
Recently I compiled icinga-web. It requires the following security contexts to be appended to /etc/selinux/targeted/contexts/files/file_contexts.local
Now restore the contexts.Code:/usr/local/icinga-web/app(/.*)? system_u:object_r:httpd_sys_content_t:s0 /usr/local/icinga-web/lib(/.*)? system_u:object_r:httpd_sys_content_t:s0 /usr/local/icinga-web/pub(/.*)? system_u:object_r:httpd_sys_content_t:s0 /usr/local/icinga-web/app/cache(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0 /usr/local/icinga-web/log(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0
Code:restorecon -R /usr/local/icinga-web
Posted 04-16-2013 at 11:00 PM by sag47
