Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dev.icinga.com #11648] Reload permission error with SELinux #4147

Closed
icinga-migration opened this issue Apr 21, 2016 · 9 comments

Comments

Projects
None yet
1 participant
@icinga-migration
Copy link
Member

commented Apr 21, 2016

This issue has been migrated from Redmine: https://dev.icinga.com/issues/11648

Created by mzac on 2016-04-21 13:04:38 +00:00

Assignee: dgoetz
Status: Resolved (closed on 2016-08-15 11:36:11 +00:00)
Target Version: 2.5.0
Last Update: 2016-08-15 11:36:11 +00:00 (in Redmine)

Icinga Version: 2.4.7
Backport?: Not yet backported
Include in Changelog: 1

I've noticed that if Icinga2 is started by the root user, then the icinga user tries a reload, there is a permission error thrown:

[root@icinga-dev1 tmp]# ls -al /tmp/tmp.PUc2IEXfZI

-rw-------.  1 icinga icinga 1232896 Apr 21 09:00 tmp.PUc2IEXfZI

[ ~]$ sudo su - icinga
-bash-4.1$ service icinga2 reload
Validating config files: chcon: failed to change context of `/tmp/tmp.PUc2IEXfZI' to `unconfined_u:object_r:icinga2_tmp_t:s0': Invalid argument
Done
Reloading Icinga 2: Done

Changesets

2016-08-15 11:15:56 +00:00 by dgoetz 5e628f0

Mute chcon during safe-reload
to remove error message on systems with SELinux enabled but without icinga2 policy

refs #11648

2016-08-15 11:33:47 +00:00 by dgoetz bc06ff1

Mute chcon during safe-reload

Removes the error message on systems with SELinux enabled but without icinga2 policy.

fixes #11648
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Apr 22, 2016

Updated by mfriedrich on 2016-04-22 08:07:12 +00:00

  • Subject changed from Reload permission error to Reload permission error with SELinux
  • Category set to Packages
  • Status changed from New to Assigned

Sounds like an SELinux issue. @dirk please have look into that, thanks.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 9, 2016

Updated by mfriedrich on 2016-08-09 07:59:39 +00:00

  • Assigned to set to dgoetz
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 9, 2016

Updated by dgoetz on 2016-08-09 10:53:34 +00:00

I need some more input. Can you tell me the operating system version? Your output looks like a none systemd version, so it is not a RHEL 7 derivate or Fedora.

For now I think it is RHEL6 with SELinux enabled but we do not provide a policy, so chcon -t icinga2_tmp_t $OUTPUTFILE from safe-reload fails, but except from the output it does not cause any problems.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 9, 2016

Updated by mzac on 2016-08-09 16:17:46 +00:00

You were good on your guess, RHEL 6. Anything else you need?

Red Hat Enterprise Linux Server release 6.8 (Santiago)
Linux icinga-dev1 2.6.32-573.12.1.el6.x86_64 #1 SMP Mon Nov 23 12:55:32 EST 2015 x86_64 x86_64 x86_64 GNU/Linux

[root@icinga-dev1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

dirk wrote:

I need some more input. Can you tell me the operating system version? Your output looks like a none systemd version, so it is not a RHEL 7 derivate or Fedora.

For now I think it is RHEL6 with SELinux enabled but we do not provide a policy, so chcon -t icinga2_tmp_t $OUTPUTFILE from safe-reload fails, but except from the output it does not cause any problems.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 10, 2016

Updated by dgoetz on 2016-08-10 07:23:37 +00:00

Ok, so then this is no real issue as it does not cause any problems except from the error message, we should simply silence the command. I will create a patch later. Thanks!

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 15, 2016

Updated by dgoetz on 2016-08-15 11:22:52 +00:00

  • Assigned to changed from dgoetz to mfriedrich
  • Target Version set to 2.5.0

Patch is in a separate branch fix/chcon-11648.

@dnsmichi: Can you please review and merge this small fix to 2.5.0?

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 15, 2016

Updated by mfriedrich on 2016-08-15 11:32:13 +00:00

  • Assigned to changed from mfriedrich to dgoetz
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 15, 2016

Updated by mfriedrich on 2016-08-15 11:36:07 +00:00

Thanks merged.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 15, 2016

Updated by dgoetz on 2016-08-15 11:36:11 +00:00

  • Status changed from Assigned to Resolved
  • Done % changed from 0 to 100

Applied in changeset bc06ff1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.