SELinux is a mandatory access control (MAC) system on Linux which adds a fine granular permission system for access to all resources on the system such as files, devices, networks and inter-process communication.
The most important questions are answered briefly in the FAQ of the SELinux Project. For more details on SELinux and how to actually use and administrate it on your systems have a look at Red Hat Enterprise Linux 7 - SELinux User's and Administrator's Guide. For a simplified (and funny) introduction download the SELinux Coloring Book.
Icinga Web 2 is providing its own SELinux policy for RPM-based systems running the targeted policy which confines Icinga Web 2 with support for all its modules.
The policy for Icinga Web 2 will also require the policy for Icinga 2 which provides access to its interfaces. It covers only the scenario running Icinga Web 2 in Apache HTTP Server with mod_php.
Use your distribution's package manager to install the
When the SELinux policy package for Icinga Web 2 is installed, it
creates its own type of apache content and labels its configuration
icingaweb2_config_t to allow confining access to it.
The configuration is labeled
other services can request access to it by using the interfaces
icingaweb2_manage_config. Files requiring read access are
icingaweb2_content_t. Files requiring write access
SELinux is based on the least level of access required for a service to run. Using booleans you can grant more access in a defined way. The Icinga Web 2 policy package provides the following booleans.
Having this boolean enabled allows httpd to write to the
icingaweb2_config_t. This is enabled
by default. If not needed, you can disable it for more security. But
this will disable all web based configuration of Icinga Web 2.
The Icinga Web 2 policy package does not enable booleans not required
by default. In order to allow these things, you'll need to enable them
manually. (i.e. with the tool
If you want to allow httpd to connect to the ldap port, you must turn on the
httpd_can_connect_ldap boolean. Disabled by
If you experience any problems while running SELinux in enforcing mode try to reproduce it in permissive mode. If the problem persists, it is not related to SELinux because in permissive mode SELinux will not deny anything.
When filing a bug report please add the following information additionally to the common ones:
semodule -l | grep -e icinga2 -e icingaweb2 -e nagios -e apache
semanage boolean -l | grep icinga
ps -eZ | grep httpd
audit2allow -li /var/log/audit/audit.log
If access to a file is blocked and you can tell which one, please
provided the output of
ls -lZ /path/to/file and the
If asked for full audit.log, add
-w /etc/shadow -p w to
/etc/audit/rules.d/audit.rules and restart the audit
daemon. Reproduce the problem and add
/var/log/audit/audit.log to the bug report. The added audit
rule includes the path of files where access was denied.
If asked to provide full audit log with dontaudit rules disabled,
semodule -DB before reproducing the problem. After
that enable the rules again to prevent auditd spamming your logfile by