[dev.icinga.com #3555] Define SELinux contexts rather than using chcon command.

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/3555

Created by sag47 on 2013-01-22 22:02:03 +00:00

Assignee: Wolfgang
Status: Resolved (closed on 2014-03-08 10:22:52 +00:00)
Target Version: 1.11
Last Update: 2014-03-08 10:22:52 +00:00 (in Redmine)

---

Regarding the Linux documentation for Icinga with SELinux. Namely:
http://docs.icinga.org/latest/en/quickstart-idoutils.html#selinuxsettings

I recommend adding rules to /etc/selinux/targeted/contexts/files/file_contexts.local. That way a simple restorecon command can be issued. Like
[code]restorecon -R /usr/local/icinga/sbin[/code]

Here's where I have documented how I do it.
http://www.linuxquestions.org/questions/blog/sag47-492023/selinux-and-icinga-34926/

In the comments I outline where I set up the SELinux rules. Anybody have thoughts on this method rather than suggested method in the docs? Using file_contexts allows you to easily add files and content. Only a restorecon command is needed to update the contexts of new content.

[icinga-migration]

Updated by mfriedrich on 2013-03-03 19:34:58 +00:00

• Target Version changed from 1.8.2 to 1.9

[icinga-migration]

Updated by mfriedrich on 2013-04-10 09:20:33 +00:00

• Target Version changed from 1.9 to 1.10

[icinga-migration]

Updated by Wolfgang on 2013-04-28 11:37:32 +00:00

• Status changed from New to Assigned
• Assigned to set to Wolfgang
• Done % changed from 0 to 50

commit 3c9fd84 in next (#3555)

[icinga-migration]

Updated by mfriedrich on 2013-10-16 14:44:55 +00:00

• Status changed from Assigned to Feedback
• Target Version changed from 1.10 to 1.11

close it if done, but for 1.10 i'll drop it now on beta docs generation.

[icinga-migration]

Updated by mfriedrich on 2014-03-07 10:31:50 +00:00

status?

[icinga-migration]

Updated by sag47 on 2014-03-07 16:12:39 +00:00

The status is as far as I know only a link has been included in the documentation. http://docs.icinga.org/latest/en/quickstart-idoutils.html#selinuxsettings

The better method IMO would be to use `semanage` to create context defaults and use `restorecon` to set them. This is more inline with best practices which is different from my original request. Here's a sample.

semanage fcontext -a -t httpd_sys_script_exec_t '/usr/local/icinga/sbin(/.*)?'
semanage fcontext -a -t httpd_sys_content_t '/usr/local/icinga/share(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/local/icinga/var(/.*)?'
restorecon -R /usr/local/icinga/sbin
restorecon -R /usr/local/icinga/share
restorecon -R /usr/local/icinga/var

The `semanage` command will automatically add entries to `/etc/selinux/targeted/contexts/files/file_contexts.local`. This method would provide a user with the ability to simply resotorecon -R the icinga directory. I recommend it within the documentation rather than providing a link to an offsite website.

[icinga-migration]

Updated by Wolfgang on 2014-03-08 10:22:52 +00:00

• Status changed from Feedback to Resolved
• Done % changed from 50 to 100

Commit 17c5799 in master (instead of next, *sigh)