LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Blogs > sag47
User Name
Password

Notices

Rate this Entry

SELinux and Icinga

Posted 08-05-2012 at 12:39 AM by sag47
Updated 08-05-2012 at 12:57 AM by sag47

Today I ran into an SELinux problem when installing icinga. I followed their documentation "Adjusting the SELinux settings". However my cgis still would not run. When I ran,
Code:
cat /var/log/audit/audit.log | audit2allow -v
I received the following output,
Code:
#============= httpd_sys_script_t ==============
# src="httpd_sys_script_t" tgt="initrc_tmp_t" class="file", perms="{ read getattr open }"
# comm="tac.cgi" exe="" path=""
allow httpd_sys_script_t initrc_tmp_t:file { read getattr open };
I had to create a policy module and build it using the following commands...
Code:
cd /usr/local/src
mkdir icinga-selinux
cd icinga-selinux
audit2allow -M icinga-cgi -l -i /var/log/audit/audit.log
I removed icinga-cgi.pp and modified icinga-cgi.te to be the following.
Code:
module icinga-cgi 1.0;

require {
        type initrc_tmp_t;
        type httpd_sys_script_t;
        class file { read write getattr open };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t initrc_tmp_t:file { read getattr open };
I then proceeded to compile the module and install it.
Code:
checkmodule -M -m -o icinga-cgi.mod icinga-cgi.te
semodule_package -o icinga-cgi.pp -m icinga-cgi.mod
semodule -i icinga-cgi.pp
--------------------

I then had to compile a second module to get "reschedule next service check" working.
Code:
audit2allow -M icinga-schedule-cmd -l -i /var/log/audit/audit.log
Module Source.
Code:
module icinga-schedule-cmd 1.0;

require {
        type httpd_sys_script_t;
        type usr_t;
        class fifo_file getattr;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t usr_t:fifo_file getattr;
Compile and install module,
Code:
checkmodule -M -m -o icinga-schedule-cmd.mod icinga-schedule-cmd.te
semodule_package -o icinga-schedule-cmd.pp -m icinga-schedule-cmd.mod
semodule -i icinga-schedule-cmd.pp
Views 5818 Comments 3
« Prev     Main     Next »
Total Comments 3

Comments

  1. Old Comment
    Here's the now recommended way of managing file_contexts.local using the semanage utility.

    Code:
    semanage fcontext -a -t httpd_sys_script_exec_t '/usr/local/icinga/sbin(/.*)?'
    semanage fcontext -a -t httpd_sys_content_t '/usr/local/icinga/share(/.*)?'
    semanage fcontext -a -t httpd_sys_rw_content_t '/usr/local/icinga/var(/.*)?'
    Warning: The rest of the comment is the old method of manually editing file_contexts.local. I left it for documentation purposes however you should execute the semanage commands I outlined above.


    I added the following lines to /etc/selinux/targeted/contexts/files/file_contexts.local
    Code:
    /usr/local/icinga/sbin(/.*)?  system_u:object_r:httpd_sys_script_exec_t:s0
    /usr/local/icinga/share(/.*)? system_u:object_r:httpd_sys_content_t:s0
    /usr/local/icinga/var(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0
    After that submitting cmd.cgi (reschedule command checks) worked again.
    Posted 08-23-2012 at 11:13 PM by sag47 sag47 is offline
    Updated 06-18-2013 at 09:14 AM by sag47
  2. Old Comment
    I forgot to mention but in my previous comment once I created the security contexts for Icinga I used the restorecon command on those three folders so that they work with SELinux.

    Code:
    restorecon -R /usr/local/icinga/sbin
    restorecon -R /usr/local/icinga/share
    restorecon -R /usr/local/icinga/var
    Posted 01-13-2013 at 10:57 PM by sag47 sag47 is offline
  3. Old Comment
    Recently I compiled icinga-web. It requires the following security contexts to be appended to /etc/selinux/targeted/contexts/files/file_contexts.local
    Code:
    /usr/local/icinga-web/app(/.*)?  system_u:object_r:httpd_sys_content_t:s0
    /usr/local/icinga-web/lib(/.*)?  system_u:object_r:httpd_sys_content_t:s0
    /usr/local/icinga-web/pub(/.*)?  system_u:object_r:httpd_sys_content_t:s0
    /usr/local/icinga-web/app/cache(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0
    /usr/local/icinga-web/log(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0
    Now restore the contexts.
    Code:
    restorecon -R /usr/local/icinga-web
    Posted 04-16-2013 at 11:00 PM by sag47 sag47 is offline
 

  



All times are GMT -5. The time now is 01:23 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration