"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/90-SELinux.md" between
icingaweb2-2.11.3.tar.gz and icingaweb2-2.11.4.tar.gz

About: Icinga Web 2 is an Web interface for Icinga 2, a network and computer system monitoring system.

90-SELinux.md  (icingaweb2-2.11.3)	:	90-SELinux.md  (icingaweb2-2.11.4)
skipping to change at line 15		skipping to change at line 15
SELinux is a mandatory access control (MAC) system on Linux which adds a fine gr anular permission system for access		SELinux is a mandatory access control (MAC) system on Linux which adds a fine gr anular permission system for access
to all resources on the system such as files, devices, networks and inter-proces s communication.		to all resources on the system such as files, devices, networks and inter-proces s communication.
The most important questions are answered briefly in the [FAQ of the SELinux Pro ject](https://selinuxproject.org/page/FAQ).		The most important questions are answered briefly in the [FAQ of the SELinux Pro ject](https://selinuxproject.org/page/FAQ).
For more details on SELinux and how to actually use and administrate it on your systems have a look at		For more details on SELinux and how to actually use and administrate it on your systems have a look at
[Red Hat Enterprise Linux 7 - SELinux User's and Administrator's Guide](https:// access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Us ers_and_Administrators_Guide/index.html).		[Red Hat Enterprise Linux 7 - SELinux User's and Administrator's Guide](https:// access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Us ers_and_Administrators_Guide/index.html).
For a simplified (and funny) introduction download the [SELinux Coloring Book](h ttps://github.com/mairin/selinux-coloring-book).		For a simplified (and funny) introduction download the [SELinux Coloring Book](h ttps://github.com/mairin/selinux-coloring-book).
## Policy <a id="selinux-policy"></a>		## Policy <a id="selinux-policy"></a>
Icinga Web 2 is providing its own SELinux policy for Red Hat Enterprise Linux 7		Icinga Web 2 is providing its own SELinux policy for RPM-based systems running t
and its derivates running the targeted		he targeted policy
policy which confines Icinga Web 2 with support for all its modules. All other d		which confines Icinga Web 2 with support for all its modules.
istributions will require some tweaks.
It is not upstreamed to the reference policies yet.
The policy for Icinga Web 2 will also require the policy for Icinga 2 which prov ides access to its interfaces.		The policy for Icinga Web 2 will also require the policy for Icinga 2 which prov ides access to its interfaces.
It covers only the scenario running Icinga Web 2 in Apache HTTP Server with mod_ php.		It covers only the scenario running Icinga Web 2 in Apache HTTP Server with mod_ php.
## Installation <a id="selinux-policy-installation"></a>		Use your distribution's package manager to install the `icingaweb2-selinux` pack
		age.
There are two ways to install the SELinux Policy for Icinga Web 2 on Enterprise
Linux 7.
Either install it from the provided package which is the preferred option or int
all the policy manually, if you need
fixes which are not yet released.
Verify that the system runs in enforcing mode.
sestatus
# SELinux status: enabled
# SELinuxfs mount: /sys/fs/selinux
# SELinux root directory: /etc/selinux
# Loaded policy name: targeted
# Current mode: enforcing
# Mode from config file: enforcing
# Policy MLS status: enabled
# Policy deny_unknown status: allowed
# Max kernel policy version: 28
If problems occur, you can set icinga2 or httpd to run to run its domain in perm
issive mode.
You can change the configured mode by editing `/etc/selinux/config` and the curr
ent mode by executing `setenforce 0`.
### Package installation <a id="selinux-policy-installation-package"></a>
Simply add the `selinux` subpackage to your installation.
yum install icingaweb2-selinux
### Manual installation <a id="selinux-policy-installation-manual"></a>
This section describes the manual installation to support development and testin
g.
As a prerequisite install the `git`, `selinux-policy-devel` and `audit` package.
Enable and start the audit daemon
afterwards.
yum install git selinux-policy-devel audit
systemctl enable auditd.service
systemctl start auditd.service
To create and install the policy package run the installation script from the Ic
inga Web 2 source which also labels the
resources.
cd packages/selinux/
./icingaweb2.sh
Verify that Apache runs in its own domain `httpd_t` and the Icinga Web 2 configu
ration has its own context
`icingaweb2_config_t`.
ps -eZ | grep http
# system_u:system_r:httpd_t:s0 9785 ? 00:00:00 httpd
ls -ldZ /etc/icingaweb2/
# drwxrws---. root icingaweb2 system_u:object_r:icingaweb2_config_t:s0 /etc/
icingaweb2/
## General <a id="selinux-policy-general"></a>		## General <a id="selinux-policy-general"></a>
When the SELinux policy package for Icinga Web 2 is installed, it creates its ow n type of apache content and labels its		When the SELinux policy package for Icinga Web 2 is installed, it creates its ow n type of apache content and labels its
configuration `icingaweb2_config_t` to allow confining access to it.		configuration `icingaweb2_config_t` to allow confining access to it.
## Types <a id="selinux-policy-types"></a>		## Types <a id="selinux-policy-types"></a>
The configuration is labeled `icingaweb2_config_t` and other services can reques t access to it by using the interfaces		The configuration is labeled `icingaweb2_config_t` and other services can reques t access to it by using the interfaces
`icingaweb2_read_config` and `icingaweb2_manage_config`.		`icingaweb2_read_config` and `icingaweb2_manage_config`.
End of changes. 2 change blocks.
66 lines changed or deleted		5 lines changed or added

---