Calling `icingacli` via the Icinga2 agent is blocked by SELinux

[NavidSassan]

Calling icingacli via the Icinga2 agent is blocked by SELinux. This results in the following error message:

Module path "/usr/share/icingaweb2/modules" does not exist
ERROR: Cannot read enabled modules. Config directory "/etc/icingaweb2" is not readable

To Reproduce

For example, when trying to check a business process on a host with SELinux enabled:

1. Create some process in the businessprocess module.

2. Create a service template and service that checks the state of the process using the icingacli-businessprocess external command:

   template Service "tpl-service-bp" {
   check_command = "icingacli-businessprocess"
   vars.icingacli_businessprocess_details = true
   }

   object Service "tpl-service-bp" {
   host_name = "myhost"
   import "tpl-service-bp"
   
   vars.icingacli_businessprocess_config = "test"
   vars.icingacli_businessprocess_process = "first"
   }

3. Trigger the service via Icinga2. Note that the service is UNKNOWN.
4. Disable SELinux: setenforce 0.
5. Trigger the service via Icinga2. Note that the service is OK.

Note that the problem cannot be reproduced when using sudo, it only happens when executed via the Icinga2 agent:

sudo -u icinga icingacli businessprocess process check first --config test --details
Business Process OK: first

Expected behavior

Using icingacli to check the state of modules on a host with SELinux enabled should work out of the box, or at least via a SELinux boolean.

Your Environment

• Version used (icinga2 --version): r2.13.7-1
• Operating System and version: Rocky Linux 8
• Enabled features (icinga2 feature list): api checker icingadb ido-mysql influxdb mainlog notification
• Icinga Web 2 version and modules (System - About): 2.11.4
  • icinga/icinga-php-library: 0.12.0
  • icinga/icinga-php-thirdparty: 0.11.0
  • businessprocess: 2.4.0
  • company: 1.0.0
  • director: 1.10.2.2023042001
  • grafana: 2.0.3
  • icingadb: 1.0.2
  • incubator: 0.20.0

Additional context

SELinux Booleans:

getsebool -a | grep -E 'icinga|nagios'
httpd_can_connect_icinga2_api --> on
httpd_can_manage_icingaweb2_config --> on
httpd_can_write_icinga2_command --> on
icinga2_can_connect_all --> on
icinga2_run_sudo --> on
icinga2adm_exec_content --> on
logging_syslogd_run_nagios_plugins --> off
nagios_run_pnp4nagios --> off
nagios_run_sudo --> on
nagios_use_nfs --> off

[tbauriedel]

ref/NC/788116

[RincewindsHat]

ref/NC/825504

[lippserd]

ref/IP/54807