tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-26 23:24:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

Documentation: Remove wrong selinux description

Browse Source 
refs #6704
This commit is contained in:
Michael Friedrich 2014-08-29 12:03:03 +02:00
parent ee5b0afd28
commit a7aba78185
2 changed files with 0 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
doc/2-getting-started.md
View File

@ -749,61 +749,6 @@ Change "www-data" to the user you're using to run queries.
> Packages will do that automatically. Verify that by running `id <your-webserver-user>` and skip this > Packages will do that automatically. Verify that by running `id <your-webserver-user>` and skip this
> step. > step.
> **Note**
>
> With SELinux enabled in `targetted` or `permissive` mode, you need to add a
> new policy allowing external users to access the external command pipe fifo.
> The [external command pipe SELinux policy documentation](#external-command-pipe-selinux-policy)
> provides details on that.
#### <a id="external-command-pipe-selinux-policy"></a> SELinux Policy for External Command Pipe
First, verify that the `/var/log/audit/audit.log` contains errors when accessing
the external command pipe `icinga2.cmd` and use the [audit2allow](http://fedoraproject.org/wiki/SELinux/audit2allow)
tool to generate a type enforcement policy.
# grep 'icinga2.cmd' /var/log/audit/audit.log | audit2allow -m icinga2 > icinga2.te
The generated policy looks like this:
# cat icinga2.te
module icinga2 1.0;
require {
type var_run_t;
type httpd_t;
type ping_t;
class fifo_file { write read getattr open };
}
#============= httpd_t ==============
allow httpd_t var_run_t:fifo_file { write getattr open };
#============= ping_t ==============
allow ping_t var_run_t:fifo_file read;
Now tell `audit2allow` to generate a custom policy module which can be imported
using the `semodule` command.
# grep 'icinga2.cmd' /var/log/audit/audit.log | audit2allow -M icinga2
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i icinga2.pp
# semodule -i icinga2.pp
If you want to remove a custom policy module, obtain a list of modules and
remove it by its name.
# semodule -l
# semodule -r icinga2
That way your [user interfaces](setting-up-icinga2-user-interfaces) and other
tools may write to the command pipe without disabling SELinux.
## <a id="setting-up-livestatus"></a> Setting up Livestatus ## <a id="setting-up-livestatus"></a> Setting up Livestatus
The [MK Livestatus](http://mathias-kettner.de/checkmk_livestatus.html) project The [MK Livestatus](http://mathias-kettner.de/checkmk_livestatus.html) project
@ -851,13 +796,6 @@ are expected to be in `/var/log/icinga2/compat`. A different path can be set usi
# icinga2-enable-feature compatlog # icinga2-enable-feature compatlog
> **Note**
>
> With SELinux enabled in `targetted` or `permissive` mode, you need to add a
> new policy allowing external users to access the Livestatus unix socket.
> The [external command pipe SELinux policy documentation](#external-command-pipe-selinux-policy)
> provides details on that.
## <a id="setting-up-icinga2-user-interfaces"></a> Setting up Icinga 2 User Interfaces ## <a id="setting-up-icinga2-user-interfaces"></a> Setting up Icinga 2 User Interfaces
Icinga 2 is compatible with Icinga 1.x user interfaces by providing additional Icinga 2 is compatible with Icinga 1.x user interfaces by providing additional

13
doc/3-monitoring-basics.md
View File

@ -1631,12 +1631,6 @@ a forced service check:
Oct 17 15:01:25 icinga-server icinga2: Executing external command: [1382014885] SCHEDULE_FORCED_SVC_CHECK;localhost;ping4;1382014885 Oct 17 15:01:25 icinga-server icinga2: Executing external command: [1382014885] SCHEDULE_FORCED_SVC_CHECK;localhost;ping4;1382014885
Oct 17 15:01:25 icinga-server icinga2: Rescheduling next check for service 'ping4' Oct 17 15:01:25 icinga-server icinga2: Rescheduling next check for service 'ping4'
> **Note**
>
> With SELinux enabled in `targetted` or `permissive` mode, you need to add a
> new policy allowing external users to access the external command pipe fifo.
> The [external command pipe SELinux policy documentation](#external-command-pipe-selinux-policy)
> provides details on that.
### <a id="external-command-list"></a> External Command List ### <a id="external-command-list"></a> External Command List
@ -1899,13 +1893,6 @@ Other to the Icinga 1.x Addon, Icinga 2 supports two socket types
Details on the configuration can be found in the [LivestatusListener](#objecttype-livestatuslistener) Details on the configuration can be found in the [LivestatusListener](#objecttype-livestatuslistener)
object configuration. object configuration.
> **Note**
>
> With SELinux enabled in `targetted` or `permissive` mode, you need to add a
> new policy allowing external users to access the Livestatus unix socket.
> The [external command pipe SELinux policy documentation](#external-command-pipe-selinux-policy)
> provides details on that.
### <a id="livestatus-get-queries"></a> Livestatus GET Queries ### <a id="livestatus-get-queries"></a> Livestatus GET Queries
> **Note** > **Note**