[icinga-users] Selinux denied notification script

[Dewangga Bachrul Alam]

Hello!

Is anyone having same problem with enforcing selinux policy? I have
problem with notification script, the selinux actively denied this
activity. From audit.log, I've got this :

#============= nagios_notification_plugin_t ==============
allow nagios_notification_plugin_t icinga2_var_lib_t:file append;

$ ls -ldZ /var/lib/icinga2
drwxr-x---. icinga icinga system_u:object_r:icinga2_var_lib_t:s0
/var/lib/icinga2

$ stat /var/lib/icinga2/
  File: ‘/var/lib/icinga2/’
  Size: 45              Blocks: 0          IO Block: 4096   directory
Device: 97dh/2429d      Inode: 538248767   Links: 4
Access: (0750/drwxr-x---)  Uid: (  996/  icinga)   Gid: (  994/  icinga)
Context: system_u:object_r:icinga2_var_lib_t:s0
Access: 2015-08-31 14:29:04.426309490 +0700
Modify: 2015-08-31 14:33:29.634049565 +0700
Change: 2015-08-31 14:33:29.634049565 +0700
 Birth: -


I've apply this to local selinux policy. But, the script still denied by
selinux. This is log from icinga2.log.


.. snip ..
[2015-08-31 14:20:03 +0700] warning/PluginNotificationTask: Notification
command for object 'domain.name!http' (PID: 21698, arguments:
'/etc/icinga2/scripts/mail-service-notification.sh') terminated with
exit code 126, output: /bin/sh:
/etc/icinga2/scripts/mail-service-notification.sh: Permission denied

[2015-08-31 14:20:03 +0700] warning/PluginNotificationTask: Notification
command for object 'domain.name!http' (PID: 21699, arguments:
'/etc/icinga2/scripts/mail-service-notification.sh') terminated with
exit code 126, output: /bin/sh:
/etc/icinga2/scripts/mail-service-notification.sh: Permission denied
.. snip ..

I'm pretty sure this is coming from selinux, because if I set this to
permissive mode, the script is works.

Any feedback/help are appreciated.
Thank you.
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users