Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add role icinga2adm_r to SELinux policies #9664

Merged
merged 1 commit into from
Feb 16, 2023
Merged

Add role icinga2adm_r to SELinux policies #9664

merged 1 commit into from
Feb 16, 2023

Conversation

htriem
Copy link
Contributor

@htriem htriem commented Feb 13, 2023
edited
Loading

By default, newly-created files and directories inherit the SELinux type of their parent directories. This is how we've been doing things for a while now, but behaviour seems to have changed for some systems.
So it is required for role icinga2adm_r, setting the role to our SELinux admin level role, to be called before calling userdom_unpriv_user_template(icinga2adm) to allow for proper role and domain creation.
I've tested this on RHEL 9:

# semanage boolean -l | grep icinga
httpd_can_connect_icinga2_api  (on   ,   on)  Allow httpd to can connect icinga2 api
httpd_can_write_icinga2_command (on   ,   on)  Allow httpd to can write icinga2 command
icinga2_can_connect_all        (off  ,  off)  Allow icinga2 to can connect all
icinga2_run_sudo               (off  ,  off)  Allow icinga2 to run sudo
icinga2adm_exec_content        (on   ,   on)  Allow icinga2adm to exec content

Without this fix, this command doesn't print anything.

See Issue icinga-packaging/#276 for more info.

@cla-bot cla-bot bot added the cla/signed label Feb 13, 2023
@htriem htriem requested a review from julianbrost February 14, 2023 14:20
@julianbrost julianbrost requested a review from lippserd February 15, 2023 09:17
@htriem htriem force-pushed the bugfix/selinux-readd-bools branch from f4441e0 to e73522a Compare February 15, 2023 16:40
@htriem
Copy link
Contributor Author

htriem commented Feb 15, 2023
edited
Loading

This PR now includes a fix for this issue in the second commit.

Disregard that, the fix for this issue has been moved to here.

@htriem htriem force-pushed the bugfix/selinux-readd-bools branch from e73522a to 8173cf0 Compare February 16, 2023 10:03
@htriem htriem requested a review from Al2Klimov February 16, 2023 10:41
This was referenced Feb 16, 2023
Merged
Merged
@Al2Klimov Al2Klimov merged commit c3d8ed7 into master Feb 16, 2023
@icinga-probot icinga-probot bot deleted the bugfix/selinux-readd-bools branch February 16, 2023 16:12
@Al2Klimov Al2Klimov added this to the 2.14.0 milestone Feb 17, 2023
@lippserd lippserd mentioned this pull request Mar 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lippserd lippserd lippserd approved these changes

@julianbrost julianbrost Awaiting requested review from julianbrost

@Al2Klimov Al2Klimov Awaiting requested review from Al2Klimov

Assignees
No one assigned
Labels
cla/signed
Projects
None yet
Milestone
2.14.0
Development

Successfully merging this pull request may close these issues.
3 participants
@htriem @lippserd @Al2Klimov