New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[dev.icinga.com #8332] Add selinux policy rpm package #2585
Comments
Updated by dgoetz on 2015-02-02 12:59:34 +00:00 I discussed this with Michael on the FOSDEM and want to summarize: Creating the selinux-policy:
Creating a rpm:
Documentation:
Michael and I started prototyping on FOSDEM, he will check it in as a separate feature branch (@michael: Please use version 0.1.0 in the policy file, so I can try a proper versioning of the policy) |
Updated by mfriedrich on 2015-02-09 09:57:19 +00:00
|
Updated by dgoetz on 2015-02-11 22:08:51 +00:00
Added some more file contexts, domain transitions and the api port. While doing so I found some things we should talk about:
|
Updated by mfriedrich on 2015-02-12 08:17:06 +00:00 dirk wrote:
Thanks, added that patch to the feature branch.
Not sure what you mean here. /var/lib/icinga2, /var/log/icinga2, /var/spool/icinga2 must be writable by the daemon.
That directory is only used by the icinga2 daemon, and must not be read by plugins (could expose information).
They are kept in /etc/icinga2/scripts and must be executable. The reason for keeping them there is that the user should be able to modify them easily. There is no generic notification script around, at least not yet to my knowledge. |
Updated by mfriedrich on 2015-02-12 08:19:40 +00:00
|
Updated by gbeutner on 2015-02-13 09:30:35 +00:00
|
Updated by dgoetz on 2015-03-02 15:11:03 +00:00 Added support for databases and graphite. I do have something to discuss:
Should I patch it in this way in the feature branch?
|
Updated by dgoetz on 2015-03-17 21:35:29 +00:00
Changes:
Next step I want to get the documentation started, so everyone can see what should work and I can ask for testers. Packaging I want to do after that hoping to get it ready to merge for 2.4 |
Updated by dgoetz on 2015-03-30 08:15:11 +00:00
|
Updated by dgoetz on 2015-05-07 20:34:50 +00:00 Added the required changes to the spec. |
Updated by mfriedrich on 2015-05-19 07:57:46 +00:00
|
Updated by mfriedrich on 2015-06-01 12:27:10 +00:00
Review
TODOs
|
Updated by mfriedrich on 2015-06-01 12:27:19 +00:00
|
Updated by mfriedrich on 2015-06-02 11:49:47 +00:00 Tobi came over and told me that el6 builds fail due to unmet dependencies with systemd.
I've disabled the selinux builds for el5/6 inside the spec file for now, please come up with a proper implementation @dirk |
Updated by dgoetz on 2015-06-18 12:39:35 +00:00 Had a look in implementing it and this would require to move EL7 specific parts of the policy to a separate patch, use cmake to change the files or something like that because simple putting it in an optional statement is not enough. Added documentation for package installation. |
Updated by dgoetz on 2015-06-22 07:59:18 +00:00 Packagers target is Fedora 22/23 and EPEL7, so EPEL6 and non-systemd will ignored until another one is requiring it. |
Updated by mfriedrich on 2015-06-26 09:13:26 +00:00
|
Updated by dgoetz on 2015-06-29 09:14:00 +00:00
For more tests I would need a bigger environment, so hopefully we will find some testers. And no idea what we could perhaps need additionaly. |
Updated by mfrosch on 2015-08-26 11:14:16 +00:00
I noticed that the icinga2_var_run_t context doesn't really make sense, since /run is a tmpfs on RHEL7. How can we fix this cleanly? Allowing httpd to access run? |
Updated by spstarr on 2015-08-29 22:50:28 +00:00 We're missing tools/selinux in the man tarball, since I need the stock tarball in Fedora (I could package the selinux parts as additions however). |
Updated by dgoetz on 2015-09-14 11:30:50 +00:00 @lazyfrosch: The context on /var/run is fine. Just have a look at the pre-script for systemd (prepare-dirs), the context is restored after creation. But perhaps this could be done with native systemd using tmpfilesd, but I do not want to change things working fine. @spstarr: Is it fine if Michael will include it in the tarball with the 2.4 release? |
Updated by gbeutner on 2015-10-21 12:35:12 +00:00
|
Updated by seferovic on 2015-11-24 15:30:51 +00:00 Hi, I'm getting a lot of messages because apparently the monitoring plugins want to access /var/lib/icinga2/api/log/current
And I am seeing this for every check... ATM it is only a test system with SELinux enabled, but this would produce a huge load of logging info when the system goes live. What else could/should I test to help you with this feature? |
Updated by dgoetz on 2015-11-26 08:52:06 +00:00 Hi, this is a result of bug #8900 and the bug has an untested patch attached, you can perhaps give this one a try. But this would require compiling. |
Updated by gbeutner on 2016-04-13 10:22:53 +00:00 What's the status for this ticket? |
Updated by dgoetz on 2016-04-18 11:40:31 +00:00 This can be closed and the feature branch deleted after merging "feature/doc-selinux-10553". |
Updated by gbeutner on 2016-08-03 08:17:15 +00:00
|
Updated by mfriedrich on 2016-11-09 15:06:12 +00:00
|
This issue has been migrated from Redmine: https://dev.icinga.com/issues/8332
Created by mfriedrich on 2015-02-01 15:40:24 +00:00
Assignee: dgoetz
Status: Closed (closed on 2016-11-09 15:06:12 +00:00)
Target Version: (none)
Last Update: 2016-11-09 15:06:12 +00:00 (in Redmine)
Changesets
2015-02-03 10:30:41 +00:00 by (unknown) 4238c64
2015-02-12 08:13:53 +00:00 by (unknown) f6dd732
2015-02-12 08:14:27 +00:00 by dgoetz 4b6c49c
2015-02-27 09:47:45 +00:00 by dgoetz b02289b
2015-03-17 18:51:54 +00:00 by dgoetz 63fe680
2015-03-17 21:23:02 +00:00 by dgoetz 8d8c2f7
2015-03-19 19:55:11 +00:00 by dgoetz 9a7368e
2015-03-24 19:27:04 +00:00 by dgoetz 0ebf3e8
2015-03-24 19:28:59 +00:00 by dgoetz f431a67
2015-03-25 18:52:42 +00:00 by dgoetz 626817c
2015-03-25 21:00:53 +00:00 by dgoetz d005bcd
2015-03-26 19:41:26 +00:00 by dgoetz bfbcfa5
2015-03-26 21:12:54 +00:00 by dgoetz 8b23ff2
2015-03-31 19:36:03 +00:00 by dgoetz 0925ea6
2015-05-07 20:26:42 +00:00 by dgoetz 131ad97
2015-06-01 11:25:58 +00:00 by (unknown) 22d179e
2015-06-01 11:25:58 +00:00 by dgoetz 1911209
2015-06-01 11:25:58 +00:00 by dgoetz 7351ab0
2015-06-01 11:25:58 +00:00 by dgoetz 5d93b96
2015-06-01 11:25:58 +00:00 by dgoetz 167f43a
2015-06-01 11:25:58 +00:00 by dgoetz fac006e
2015-06-01 11:25:58 +00:00 by dgoetz 7fc28dc
2015-06-01 11:25:58 +00:00 by dgoetz 7458518
2015-06-01 11:25:58 +00:00 by dgoetz 8bd2b99
2015-06-01 11:25:58 +00:00 by dgoetz 7d29a26
2015-06-01 11:25:58 +00:00 by dgoetz c460914
2015-06-01 11:25:58 +00:00 by dgoetz d7a30bc
2015-06-01 11:25:58 +00:00 by dgoetz 1ca184a
2015-06-01 11:25:58 +00:00 by dgoetz ed4142d
2015-06-01 11:29:55 +00:00 by (unknown) c35651a
2015-06-02 11:32:48 +00:00 by (unknown) 64cddae
2015-06-18 12:33:53 +00:00 by dgoetz e6453f4
2015-12-04 14:28:16 +00:00 by dgoetz 9989596
2015-12-04 14:42:49 +00:00 by dgoetz 0c8395f
Relations:
The text was updated successfully, but these errors were encountered: