search

Icinga / icinga-doc

Icinga 1.x documentation in Docbook (EOL)
https://www.icinga.org/download/
4 stars 9 forks source link

[dev.icinga.com #3555] Define SELinux contexts rather than using chcon command. #374

Closed icinga-migration closed 10 years ago

icinga-migration commented 11 years ago

This issue has been migrated from Redmine: https://dev.icinga.com/issues/3555

Created by sag47 on 2013-01-22 22:02:03 +00:00

Assignee: Wolfgang Status: Resolved (closed on 2014-03-08 10:22:52 +00:00) Target Version: 1.11 Last Update: 2014-03-08 10:22:52 +00:00 (in Redmine)

Regarding the Linux documentation for Icinga with SELinux. Namely: http://docs.icinga.org/latest/en/quickstart-idoutils.html#selinuxsettings

I recommend adding rules to /etc/selinux/targeted/contexts/files/file_contexts.local. That way a simple restorecon command can be issued. Like [code]restorecon -R /usr/local/icinga/sbin[/code]

Here's where I have documented how I do it. http://www.linuxquestions.org/questions/blog/sag47-492023/selinux-and-icinga-34926/

In the comments I outline where I set up the SELinux rules. Anybody have thoughts on this method rather than suggested method in the docs? Using file_contexts allows you to easily add files and content. Only a restorecon command is needed to update the contexts of new content.

icinga-migration commented 11 years ago

Updated by mfriedrich on 2013-03-03 19:34:58 +00:00

icinga-migration commented 11 years ago

Updated by mfriedrich on 2013-04-10 09:20:33 +00:00

icinga-migration commented 11 years ago

Updated by Wolfgang on 2013-04-28 11:37:32 +00:00

commit 3c9fd8402fd5d94149312a711dff0eac9e8af015 in next (#3555)

icinga-migration commented 10 years ago

Updated by mfriedrich on 2013-10-16 14:44:55 +00:00

close it if done, but for 1.10 i'll drop it now on beta docs generation.

icinga-migration commented 10 years ago

Updated by mfriedrich on 2014-03-07 10:31:50 +00:00

status?

icinga-migration commented 10 years ago

Updated by sag47 on 2014-03-07 16:12:39 +00:00

The status is as far as I know only a link has been included in the documentation. http://docs.icinga.org/latest/en/quickstart-idoutils.html#selinuxsettings

The better method IMO would be to use `semanage` to create context defaults and use `restorecon` to set them. This is more inline with best practices which is different from my original request. Here's a sample.

semanage fcontext -a -t httpd_sys_script_exec_t '/usr/local/icinga/sbin(/.*)?'
semanage fcontext -a -t httpd_sys_content_t '/usr/local/icinga/share(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/local/icinga/var(/.*)?'
restorecon -R /usr/local/icinga/sbin
restorecon -R /usr/local/icinga/share
restorecon -R /usr/local/icinga/var

The `semanage` command will automatically add entries to `/etc/selinux/targeted/contexts/files/file_contexts.local`. This method would provide a user with the ability to simply resotorecon -R the icinga directory. I recommend it within the documentation rather than providing a link to an offsite website.

icinga-migration commented 10 years ago

Updated by Wolfgang on 2014-03-08 10:22:52 +00:00

Commit 17c57995ee2de42b5b888b2a04e2c81907417b28 in master (instead of next, *sigh)