tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SELinux: Add InfluxDB as example for services requiring `icinga2_can_connect_all`. 

Fixes #5915
This commit is contained in:
Dirk Goetz 2018-01-15 14:49:28 +01:00 committed by Jean Flach
parent 87f8ca5b79
commit bef37a3051
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/14-features.md
View File

@ -333,6 +333,9 @@ predominantly affects Windows paths e.g. `C:\` becomes `C:_`.
The database is assumed to exist so this object will make no attempt to create it currently.
If [SELinux](22-selinux.md#selinux) is enabled, it will not allow access for Icinga 2 to InfluxDB until the [boolean](22-selinux.md#booleans)
`icinga2_can_connect_all` is set to true as InfluxDB is not providing its own policy.
More configuration details can be found [here](09-object-types.md#objecttype-influxdbwriter).
#### Instance Tagging <a id="influxdb-writer-instance-tags"></a>

6
doc/22-selinux.md
View File

@ -104,15 +104,15 @@ SELinux is based on the least level of access required for a service to run. Usi
**icinga2_can_connect_all**
Having this boolean enabled allows icinga2 to connect to all ports. This can be necessary if you use features which connect to unconfined services.
Having this boolean enabled allows icinga2 to connect to all ports. This can be necessary if you use features which connect to unconfined services, for example the [influxdb writer](14-features.md#influxdb-writer).
**httpd_can_write_icinga2_command**
Having this boolean enabled allows httpd to write to the command pipe of icinga2. This is enabled by default, if not needed you can disable it for more security.
To allow httpd to write to the command pipe of icinga2 this boolean has to be enabled. This is enabled by default, if not needed you can disable it for more security.
**httpd_can_connect_icinga2_api**
Having this boolean enabled allows httpd to connect to the API of icinga2 (Ports labeled icinga2_port_t). This is enabled by default, if not needed you can disable it for more security.
Enabling this boolean allows httpd to connect to the API of icinga2 (Ports labeled `icinga2_port_t`). This is enabled by default, if not needed you can disable it for more security.
### Configuration Examples <a id="selinux-policy-examples"></a>