Skip to content
This repository has been archived by the owner on Jan 15, 2019. It is now read-only.

[dev.icinga.com #2921] add full selinux support #1052

Closed
icinga-migration opened this issue Jul 30, 2012 · 20 comments
Closed

[dev.icinga.com #2921] add full selinux support #1052

icinga-migration opened this issue Jul 30, 2012 · 20 comments

Comments

@icinga-migration
Copy link

This issue has been migrated from Redmine: https://dev.icinga.com/issues/2921

Created by mfriedrich on 2012-07-30 21:15:42 +00:00

Assignee: (none)
Status: New
Target Version: Backlog
Last Update: 2015-06-12 17:06:18 +00:00 (in Redmine)


this is still missing in the packages, and is currently the final showstopper for EPEL upstream.

there might be insights on the work Chris already made (check selinux/), plus maybe some insights from this howto as well
http://mbrownnyc.wordpress.com/technology-solutions/reliability-monitoring-solution/implement-icinga-on-centos6-with-selinux/

Attachments

  • icinga.fc dgoetz - 2012-08-13 12:19:08 +00:00 - Filecontexts
  • icinga.if dgoetz - 2012-08-13 12:19:08 +00:00 - Interfaces
  • icinga.te dgoetz - 2012-08-13 12:19:08 +00:00 - Typeenforcement
  • icinga.sh dgoetz - 2012-08-13 12:19:08 +00:00 - Compile and Deploy script

Changesets

2012-08-31 13:29:40 +00:00 by mfriedrich 06043e2

selinux: import policy files for fc17 from #2921

refs #2921

Relations:

@icinga-migration
Copy link
Author

Updated by dgoetz on 2012-08-13 12:19:08 +00:00

  • File added icinga.fc
  • File added icinga.if
  • File added icinga.te
  • File added icinga.sh

I created a policy for the packages on Fedora 17 (created from spec-file in sources)
$ rpm -qa | grep icinga
icinga-1.7.1-1.fc17.x86_64
icinga-doc-1.7.1-1.fc17.x86_64
icinga-idoutils-libdbi-mysql-1.7.1-1.fc17.x86_64
icinga-web-1.7.2-1.fc17.noarch
icinga-gui-1.7.1-1.fc17.x86_64

I had to change the init-scripts by adding chcon after touching the pid:
chcon -t icinga_var_run_t $IcingaRunFile
chcon -t ido2db_var_run_t $Ido2dbRunFile

In the typeenforcement-file I have added some comments where perhaps some developer can have a look on the code. (Privileges that I am not sure about, files moved from tmp to spool) And also were I think it should better be in another policy (Nagios or Apache).

Icinga and Icinga-Web is running with mysql backend and without any AVC-errors except of some leaked file descriptors through the plugins. Plugins are running in the contexts defined by Nagios policy.

Perhaps the lines starting with permissive should be commented in so nothing breaks in a different setup. This would result in a system running enforced and Icinga and its components running permissive.

I think that is all information needed, but if there are questions, feel free to ask.

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2012-09-03 17:43:08 +00:00

  • Target Version changed from 1.8 to 1.9

we'll talk on osmc, as discussed via mail, thanks in advance.

@icinga-migration
Copy link
Author

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2013-04-06 22:00:14 +00:00

  • Status changed from Assigned to Feedback
  • Assigned to deleted mfriedrich
  • Target Version deleted 1.9

i'll drop the release target for now, and wait til rene provides the files.

https://sourceforge.net/mailarchive/message.php?msg\_id=30509241

@icinga-migration
Copy link
Author

Updated by davidressman on 2013-06-27 00:46:37 +00:00

Just FYI for anyone else besides Michael and Dirk who might be watching, I'm taking a crack at this. We're targeting the 1.10 release for full SELinux support. When things look a little more complete, I'll create a new issue.

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2013-06-29 14:53:48 +00:00

  • Status changed from Feedback to Assigned
  • Assigned to set to davidressman
  • Target Version set to 1.10

added reporter status in order to assign the todos to you.

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2013-08-13 11:36:53 +00:00

Hi,

can you give a short status update / summary of what's been done so far? Thanks.

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2013-10-14 22:31:01 +00:00

status?

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2013-10-16 14:43:35 +00:00

  • Target Version changed from 1.10 to 1.11

@icinga-migration
Copy link
Author

Updated by bigon on 2014-01-09 15:05:29 +00:00

Hi,

Shouldn’t this also be forwarded to the selinux reference policy upstreams (refpolicy) so the other distributions can use it?

In the current refpolicy there is already a nagios module that could be improved to include icinga support

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2014-01-25 16:23:51 +00:00

  • Assigned to changed from davidressman to spstarr

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2014-03-03 18:54:02 +00:00

  • Target Version changed from 1.11 to 1.12

feature freeze 1.11

@icinga-migration
Copy link
Author

Updated by spstarr on 2014-04-24 12:00:23 +00:00

Well, SLES uses AppArmor as does Ubuntu, Fedora/RHEL use SELinux, we can engage the SELinux policy group in Fedora and they can refine your policy files. I will include this for 1.11.2 tonight.

@icinga-migration
Copy link
Author

Updated by spstarr on 2014-04-24 12:01:10 +00:00

  • Priority changed from Normal to High

@icinga-migration
Copy link
Author

Updated by spstarr on 2014-06-10 14:12:05 +00:00

  • Assigned to changed from spstarr to shk

Reassigning to Sam for Policy work

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2014-10-26 19:12:46 +00:00

  • Target Version deleted 1.12

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2015-03-12 19:14:57 +00:00

  • Priority changed from High to Normal

I assume, nothing has happen so far? It think it's reasonable to skip it entirely and focus on 2.x. Opinions?

@icinga-migration
Copy link
Author

Updated by berk on 2015-05-18 12:17:35 +00:00

  • Target Version set to Backlog

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2015-06-12 17:06:18 +00:00

  • Status changed from Assigned to New
  • Assigned to deleted shk

@icinga-migration icinga-migration added this to the Backlog milestone Jan 17, 2017
@dnsmichi dnsmichi removed this from the Backlog milestone Dec 19, 2017
@dnsmichi
Copy link
Contributor

Won't happen, we have that in 2.x.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants