diff --git a/doc/2-getting-started.md b/doc/2-getting-started.md index 7ec0394f1..8eeffd4c0 100644 --- a/doc/2-getting-started.md +++ b/doc/2-getting-started.md @@ -749,61 +749,6 @@ Change "www-data" to the user you're using to run queries. > Packages will do that automatically. Verify that by running `id ` and skip this > step. -> **Note** -> -> With SELinux enabled in `targetted` or `permissive` mode, you need to add a -> new policy allowing external users to access the external command pipe fifo. -> The [external command pipe SELinux policy documentation](#external-command-pipe-selinux-policy) -> provides details on that. - -#### SELinux Policy for External Command Pipe - -First, verify that the `/var/log/audit/audit.log` contains errors when accessing -the external command pipe `icinga2.cmd` and use the [audit2allow](http://fedoraproject.org/wiki/SELinux/audit2allow) -tool to generate a type enforcement policy. - - # grep 'icinga2.cmd' /var/log/audit/audit.log | audit2allow -m icinga2 > icinga2.te - -The generated policy looks like this: - - # cat icinga2.te - - module icinga2 1.0; - - require { - type var_run_t; - type httpd_t; - type ping_t; - class fifo_file { write read getattr open }; - } - - #============= httpd_t ============== - allow httpd_t var_run_t:fifo_file { write getattr open }; - - #============= ping_t ============== - allow ping_t var_run_t:fifo_file read; - -Now tell `audit2allow` to generate a custom policy module which can be imported -using the `semodule` command. - - # grep 'icinga2.cmd' /var/log/audit/audit.log | audit2allow -M icinga2 - ******************** IMPORTANT *********************** - To make this policy package active, execute: - - semodule -i icinga2.pp - - # semodule -i icinga2.pp - -If you want to remove a custom policy module, obtain a list of modules and -remove it by its name. - - # semodule -l - # semodule -r icinga2 - -That way your [user interfaces](setting-up-icinga2-user-interfaces) and other -tools may write to the command pipe without disabling SELinux. - - ## Setting up Livestatus The [MK Livestatus](http://mathias-kettner.de/checkmk_livestatus.html) project @@ -851,13 +796,6 @@ are expected to be in `/var/log/icinga2/compat`. A different path can be set usi # icinga2-enable-feature compatlog -> **Note** -> -> With SELinux enabled in `targetted` or `permissive` mode, you need to add a -> new policy allowing external users to access the Livestatus unix socket. -> The [external command pipe SELinux policy documentation](#external-command-pipe-selinux-policy) -> provides details on that. - ## Setting up Icinga 2 User Interfaces Icinga 2 is compatible with Icinga 1.x user interfaces by providing additional diff --git a/doc/3-monitoring-basics.md b/doc/3-monitoring-basics.md index c6ad0ba5d..d826f6e20 100644 --- a/doc/3-monitoring-basics.md +++ b/doc/3-monitoring-basics.md @@ -1631,12 +1631,6 @@ a forced service check: Oct 17 15:01:25 icinga-server icinga2: Executing external command: [1382014885] SCHEDULE_FORCED_SVC_CHECK;localhost;ping4;1382014885 Oct 17 15:01:25 icinga-server icinga2: Rescheduling next check for service 'ping4' -> **Note** -> -> With SELinux enabled in `targetted` or `permissive` mode, you need to add a -> new policy allowing external users to access the external command pipe fifo. -> The [external command pipe SELinux policy documentation](#external-command-pipe-selinux-policy) -> provides details on that. ### External Command List @@ -1899,13 +1893,6 @@ Other to the Icinga 1.x Addon, Icinga 2 supports two socket types Details on the configuration can be found in the [LivestatusListener](#objecttype-livestatuslistener) object configuration. -> **Note** -> -> With SELinux enabled in `targetted` or `permissive` mode, you need to add a -> new policy allowing external users to access the Livestatus unix socket. -> The [external command pipe SELinux policy documentation](#external-command-pipe-selinux-policy) -> provides details on that. - ### Livestatus GET Queries > **Note**