Hello! On 09/04/2015 01:43 AM, Michael Friedrich wrote: > Am 31.08.2015 um 09:38 schrieb Dewangga Bachrul Alam: >> Hello! >> >> Is anyone having same problem with enforcing selinux policy? I have >> problem with notification script, the selinux actively denied this >> activity. From audit.log, I've got this : > > I'd be more interested in the exact error message selinux triggers in > that log. > > >> >> #============= nagios_notification_plugin_t ============== >> allow nagios_notification_plugin_t icinga2_var_lib_t:file append; >> >> $ ls -ldZ /var/lib/icinga2 >> drwxr-x---. icinga icinga system_u:object_r:icinga2_var_lib_t:s0 >> /var/lib/icinga2 >> >> $ stat /var/lib/icinga2/ >> File: ‘/var/lib/icinga2/’ >> Size: 45 Blocks: 0 IO Block: 4096 directory >> Device: 97dh/2429d Inode: 538248767 Links: 4 >> Access: (0750/drwxr-x---) Uid: ( 996/ icinga) Gid: ( 994/ icinga) >> Context: system_u:object_r:icinga2_var_lib_t:s0 >> Access: 2015-08-31 14:29:04.426309490 +0700 >> Modify: 2015-08-31 14:33:29.634049565 +0700 >> Change: 2015-08-31 14:33:29.634049565 +0700 >> Birth: - >> >> >> I've apply this to local selinux policy. But, the script still denied by >> selinux. This is log from icinga2.log. >> >> >> .. snip .. >> [2015-08-31 14:20:03 +0700] warning/PluginNotificationTask: Notification >> command for object 'domain.name!http' (PID: 21698, arguments: >> '/etc/icinga2/scripts/mail-service-notification.sh') terminated with >> exit code 126, output: /bin/sh: >> /etc/icinga2/scripts/mail-service-notification.sh: Permission denied >> >> [2015-08-31 14:20:03 +0700] warning/PluginNotificationTask: Notification >> command for object 'domain.name!http' (PID: 21699, arguments: >> '/etc/icinga2/scripts/mail-service-notification.sh') terminated with >> exit code 126, output: /bin/sh: >> /etc/icinga2/scripts/mail-service-notification.sh: Permission denied >> .. snip .. >> >> I'm pretty sure this is coming from selinux, because if I set this to >> permissive mode, the script is works. > > Though the notification scripts we ship with Icinga 2 do not use > anything beneath /var/lib/icinga2. Did you modify them?
No, I didn't. I just apply SELinux Policy from branch `feature/rpm-selinux-8332`. By default /var/lib/icinga2 file context was $ ls -ldZ /var/lib/icinga2/ drwxr-x---. icinga icinga system_u:object_r:var_lib_t:s0 /var/lib/icinga2/ Did the policy came from github broke the icinga2 core function if SELinux in enforcing mode ? Should I change this folder back to var_lib_t ? > > Kind regards, > Michael > >> >> Any feedback/help are appreciated. >> Thank you. >> _______________________________________________ >> icinga-users mailing list >> icinga-users@lists.icinga.org >> https://lists.icinga.org/mailman/listinfo/icinga-users > > > -- > Michael Friedrich, DI (FH) > Senior Developer > > NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg > Tel: +49 911 92885-0 | Fax: +49 911 92885-77 > GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 > http://www.netways.de | michael.friedr...@netways.de > > ** OSBConf 2015 - September - osbconf.org ** > ** OSMC 2015 - November - netways.de/osmc ** > _______________________________________________ > icinga-users mailing list > icinga-users@lists.icinga.org > https://lists.icinga.org/mailman/listinfo/icinga-users _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
