[dev.icinga.com #11648] Reload permission error with SELinux

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/11648

Created by mzac on 2016-04-21 13:04:38 +00:00

Assignee: dgoetz
Status: Resolved (closed on 2016-08-15 11:36:11 +00:00)
Target Version: 2.5.0
Last Update: 2016-08-15 11:36:11 +00:00 (in Redmine)

Icinga Version: 2.4.7
Backport?: Not yet backported
Include in Changelog: 1

---

I've noticed that if Icinga2 is started by the root user, then the icinga user tries a reload, there is a permission error thrown:

[root@icinga-dev1 tmp]# ls -al /tmp/tmp.PUc2IEXfZI

-rw-------.  1 icinga icinga 1232896 Apr 21 09:00 tmp.PUc2IEXfZI

[ ~]$ sudo su - icinga
-bash-4.1$ service icinga2 reload
Validating config files: chcon: failed to change context of `/tmp/tmp.PUc2IEXfZI' to `unconfined_u:object_r:icinga2_tmp_t:s0': Invalid argument
Done
Reloading Icinga 2: Done

Changesets

2016-08-15 11:15:56 +00:00 by dgoetz 5e628f0

Mute chcon during safe-reload
to remove error message on systems with SELinux enabled but without icinga2 policy

refs #11648

2016-08-15 11:33:47 +00:00 by dgoetz bc06ff1

Mute chcon during safe-reload

Removes the error message on systems with SELinux enabled but without icinga2 policy.

fixes #11648

[icinga-migration]

Updated by mfriedrich on 2016-04-22 08:07:12 +00:00

• Subject changed from Reload permission error to Reload permission error with SELinux
• Category set to Packages
• Status changed from New to Assigned

Sounds like an SELinux issue. @dirk please have look into that, thanks.

[icinga-migration]

Updated by mfriedrich on 2016-08-09 07:59:39 +00:00

• Assigned to set to dgoetz

[icinga-migration]

Updated by dgoetz on 2016-08-09 10:53:34 +00:00

I need some more input. Can you tell me the operating system version? Your output looks like a none systemd version, so it is not a RHEL 7 derivate or Fedora.

For now I think it is RHEL6 with SELinux enabled but we do not provide a policy, so chcon -t icinga2_tmp_t $OUTPUTFILE from safe-reload fails, but except from the output it does not cause any problems.

[icinga-migration]

Updated by mzac on 2016-08-09 16:17:46 +00:00

You were good on your guess, RHEL 6. Anything else you need?

Red Hat Enterprise Linux Server release 6.8 (Santiago)
Linux icinga-dev1 2.6.32-573.12.1.el6.x86_64 #1 SMP Mon Nov 23 12:55:32 EST 2015 x86_64 x86_64 x86_64 GNU/Linux

[root@icinga-dev1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

dirk wrote:

I need some more input. Can you tell me the operating system version? Your output looks like a none systemd version, so it is not a RHEL 7 derivate or Fedora.

For now I think it is RHEL6 with SELinux enabled but we do not provide a policy, so chcon -t icinga2_tmp_t $OUTPUTFILE from safe-reload fails, but except from the output it does not cause any problems.

[icinga-migration]

Updated by dgoetz on 2016-08-10 07:23:37 +00:00

Ok, so then this is no real issue as it does not cause any problems except from the error message, we should simply silence the command. I will create a patch later. Thanks!

[icinga-migration]

Updated by dgoetz on 2016-08-15 11:22:52 +00:00

• Assigned to changed from dgoetz to mfriedrich
• Target Version set to 2.5.0

Patch is in a separate branch fix/chcon-11648.

@dnsmichi: Can you please review and merge this small fix to 2.5.0?

[icinga-migration]

Updated by mfriedrich on 2016-08-15 11:32:13 +00:00

• Assigned to changed from mfriedrich to dgoetz

[icinga-migration]

Updated by mfriedrich on 2016-08-15 11:36:07 +00:00

Thanks merged.

[icinga-migration]

Updated by dgoetz on 2016-08-15 11:36:11 +00:00

• Status changed from Assigned to Resolved
• Done % changed from 0 to 100

Applied in changeset bc06ff1.