APIListener not able to bind to port due to SELinux issue.

[PaulSzymanski]

Expected Behavior

When starting icinga2 on fedora28 (i.e. systemctl start icinga2) the service should be started.

Current Behavior

systemctl start icinga2 will fail.
SElinux denies the server from binding to a port. Relevant SELinux output:

# grep name_bind /var/log/audit/audit.log | head -n 1 | audit2why
type=AVC msg=audit(1536237271.158:925): avc:  denied  { name_bind } for  pid=20689 comm="icinga2" src=5665 scontext=system_u:system_r:icinga2_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

        Was caused by:
        The boolean nis_enabled was set incorrectly.
        Description:
        Allow nis to enabled

        Allow access by executing:
        # setsebool -P nis_enabled 1

Relevant journalctl -u icinga2 output:

Sep 18 15:42:32 fedora28-dev icinga2[2233]: [2018-09-18 15:42:32 +0200] information/ApiListener: Adding new listener on port '5665'
Sep 18 15:42:32 fedora28-dev icinga2[2233]: [2018-09-18 15:42:32 +0200] critical/TcpSocket: Invalid socket: Permission denied
Sep 18 15:42:32 fedora28-dev icinga2[2233]: Context:
Sep 18 15:42:32 fedora28-dev icinga2[2233]:         (0) Activating object 'api' of type 'ApiListener'
Sep 18 15:42:32 fedora28-dev icinga2[2233]: [2018-09-18 15:42:32 +0200] critical/ApiListener: Cannot bind TCP socket for host '' on port '5665'.
Sep 18 15:42:32 fedora28-dev icinga2[2233]: Context:
Sep 18 15:42:32 fedora28-dev icinga2[2233]:         (0) Activating object 'api' of type 'ApiListener'
Sep 18 15:42:32 fedora28-dev icinga2[2233]: [2018-09-18 15:42:32 +0200] critical/ApiListener: Cannot add listener on host '' for port '5665'.
Sep 18 15:42:32 fedora28-dev icinga2[2233]: Context:
Sep 18 15:42:32 fedora28-dev icinga2[2233]:         (0) Activating object 'api' of type 'ApiListener'
Sep 18 15:42:32 fedora28-dev systemd[1]: icinga2.service: Main process exited, code=exited, status=1/FAILURE

Steps to Reproduce (for bugs)

1. Run icinga2 node wizard. Configure it to connect to the master.
2. systemctl restart icinga2
3. Will fail.

Context

On the system icinga2, icinga2-common and icinga2-selinux are installed.
I want to start an icinga2 client that connects to a master.

Your Environment

• Version used (icinga2 --version): r2.9.1-1
• Operating System and version: Fedora 28 4.18.5-200.fc28.x86_64

[Crunsher]

@dgoetz please take a look at this

[dgoetz]

You are using port 5665, but it is not labeled icinga2_port_t. This should be done in the scriptlets of the package during installation. I have no idea why it failed, but can you run /sbin/semanage port -d -t icinga2_port_t -p tcp 5665 and verify if this fixes the problem? If this command throws any error let me know it, perhaps I have missed a change in Fedora 28.

[PaulSzymanski]

I resolved the issue by reinstalling icinga2-selinux

[adamparker]

I had this issue as well, it seems the order of install of icinga2-selinux has an impact.

I uninstalled icinga2-selinux and re-installed it just like the user above and it's now working.

[PaulSzymanski]

I encountered the issue again on Fedora 29
The problem only occurs when policycoreutils-python-utils is not installed.
I.e. right now to get around the issue install policycoreutils-python-utils and then (re)install icinga2-selinux

# uname -a
Linux andromeda 4.19.9-300.fc29.x86_64 #1 SMP Thu Dec 13 17:25:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

# journalctl output while installing icinga2-selinux w/o  policycoreutils-python-utils:
kernel: SELinux:  Class xdp_socket not defined in policy.
kernel: SELinux: the above unknown classes and permissions will be allowed
kernel: SELinux:  policy capability network_peer_controls=1
kernel: SELinux:  policy capability open_perms=1
kernel: SELinux:  policy capability extended_socket_class=1
kernel: SELinux:  policy capability always_check_network=0
kernel: SELinux:  policy capability cgroup_seclabel=1
kernel: SELinux:  policy capability nnp_nosuid_transition=1
audit[714]: USER_AVC pid=714 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=11)
                                       exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
dbus-daemon[1330]: avc:  received policyload notice (seqno=11)
audit: MAC_POLICY_LOAD auid=1000 ses=1 lsm=selinux res=1
dbus-daemon[1330]: [session uid=1000 pid=1330] Reloaded configuration
dbus-daemon[714]: [system] Reloaded configuration

# journalctl output while installing icinga2-selinux with policycoreutils-python-utils:
kernel: SELinux:  Class xdp_socket not defined in policy.
kernel: SELinux: the above unknown classes and permissions will be allowed
kernel: SELinux:  policy capability network_peer_controls=1
kernel: SELinux:  policy capability open_perms=1
kernel: SELinux:  policy capability extended_socket_class=1
kernel: SELinux:  policy capability always_check_network=0
kernel: SELinux:  policy capability cgroup_seclabel=1
kernel: SELinux:  policy capability nnp_nosuid_transition=1
audit[714]: USER_AVC pid=714 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='
avc:  received policyload notice (seqno=18)
                                       exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
dbus-daemon[1330]: avc:  received policyload notice (seqno=18)
audit: MAC_POLICY_LOAD auid=1000 ses=1 lsm=selinux res=1
dbus-daemon[1330]: [session uid=1000 pid=1330] Reloaded configuration
dbus-daemon[714]: [system] Reloaded configuration
kernel: SELinux:  Class xdp_socket not defined in policy.
kernel: SELinux: the above unknown classes and permissions will be allowed
kernel: SELinux:  policy capability network_peer_controls=1
kernel: SELinux:  policy capability open_perms=1
kernel: SELinux:  policy capability extended_socket_class=1
kernel: SELinux:  policy capability always_check_network=0
kernel: SELinux:  policy capability cgroup_seclabel=1
kernel: SELinux:  policy capability nnp_nosuid_transition=1
audit[714]: USER_AVC pid=714 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='
avc:  received policyload notice (seqno=19)
                                       exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
dbus-daemon[1330]: avc:  received policyload notice (seqno=19)
dbus-daemon[1330]: [session uid=1000 pid=1330] Reloaded configuration
audit: MAC_POLICY_LOAD auid=1000 ses=1 lsm=selinux res=1
dbus-daemon[714]: [system] Reloaded configuration
audit[7106]: USER_MAC_CONFIG_CHANGE pid=7106 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 m
sg='resrc=port op=add lport=5665 proto=6 tcontext=system_u:object_r:icinga2_port_t:s0 comm="semanage" exe="/usr/bin/python3.7" hostname=? addr=? termin
al=? res=success'

[PaulSzymanski]

On Fedora policycoreutils-python doesn't provide semanage. It's provided by policycoreutils-python-utils.

CentOS and SUSE should not be affected by this.

So we need different Requires(post) and Requires(postun) depending on the distribution.