Re: [icinga-users] Selinux denied notification script

Thu, 03 Sep 2015 11:44:42 -0700 

Am 31.08.2015 um 09:38 schrieb Dewangga Bachrul Alam:

Hello!

Is anyone having same problem with enforcing selinux policy? I have
problem with notification script, the selinux actively denied this
activity. From audit.log, I've got this :


I'd be more interested in the exact error message selinux triggers in
that log.




#============= nagios_notification_plugin_t ==============
allow nagios_notification_plugin_t icinga2_var_lib_t:file append;

$ ls -ldZ /var/lib/icinga2
drwxr-x---. icinga icinga system_u:object_r:icinga2_var_lib_t:s0
/var/lib/icinga2

$ stat /var/lib/icinga2/
   File: ‘/var/lib/icinga2/’
   Size: 45           Blocks: 0          IO Block: 4096   directory
Device: 97dh/2429d    Inode: 538248767   Links: 4
Access: (0750/drwxr-x---)  Uid: (  996/  icinga)   Gid: (  994/  icinga)
Context: system_u:object_r:icinga2_var_lib_t:s0
Access: 2015-08-31 14:29:04.426309490 +0700
Modify: 2015-08-31 14:33:29.634049565 +0700
Change: 2015-08-31 14:33:29.634049565 +0700
  Birth: -


I've apply this to local selinux policy. But, the script still denied by
selinux. This is log from icinga2.log.


.. snip ..
[2015-08-31 14:20:03 +0700] warning/PluginNotificationTask: Notification
command for object 'domain.name!http' (PID: 21698, arguments:
'/etc/icinga2/scripts/mail-service-notification.sh') terminated with
exit code 126, output: /bin/sh:
/etc/icinga2/scripts/mail-service-notification.sh: Permission denied

[2015-08-31 14:20:03 +0700] warning/PluginNotificationTask: Notification
command for object 'domain.name!http' (PID: 21699, arguments:
'/etc/icinga2/scripts/mail-service-notification.sh') terminated with
exit code 126, output: /bin/sh:
/etc/icinga2/scripts/mail-service-notification.sh: Permission denied
.. snip ..

I'm pretty sure this is coming from selinux, because if I set this to
permissive mode, the script is works.


Though the notification scripts we ship with Icinga 2 do not use
anything beneath /var/lib/icinga2. Did you modify them?

Kind regards,
Michael



Any feedback/help are appreciated.
Thank you.
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users



-- 
Michael Friedrich, DI (FH)
Senior Developer

NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
http://www.netways.de | michael.friedr...@netways.de

** OSBConf 2015 - September - osbconf.org **
** OSMC 2015 - November - netways.de/osmc **
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

Reply via email to