SELinux denies sending notification mails to smtp with mailx #7733
Comments
|
@dgoetz Please have a look, thanks. |
|
I created #7749 which should fix this. @shiz0: Can you test the fix by compiling and installing the policy package? A guide is found in the SELinux section of the docs. |
|
@dgoetz Sure, I'm happy to help. Here's what I did: Reverted the workaround, confirmed it's again blocked, removed the packaged module Installed the module from git, following the docs at https://icinga.com/docs/icinga2/latest/doc/22-selinux/#manual-installation -# git clone -b bugfix/selinux_smtp_7733 https://github.com/dgoetz/icinga2.git -# systemctl restart icinga2.service Tried sending a custom notification, which worked as expected. |
Happy new year everyone and thanks, once again, for your great work!
Yesterday, I stumbled upon something:
Describe the bug
When changing the corresponding lines in the mail-*-notification.sh scripts to send the notifications directly via smtp server connection (Office365 in my case), SELinux denies that.
It works if the script is called from the terminal as root or the icinga user, but apparently not if it's in the context of the SELinux domain "nagios_notification_plugin_t".
To Reproduce
Change mail lines in script, e.g.:
The default (locally relaying) line, which works:
/usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | $MAILBIN -r "$MAILFROM" -s "$SUBJECT" $USEREMAILTo this (sending via authed smtp), which does not:
/usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | $MAILBIN -S smtp=smtp.office365.com:587 -S smtp-use-starttls -S smtp-auth=login -S smtp-auth-user=icinga@domain.de -S smtp-auth-password=*** -r "icinga@domain.de" -S nss-config-dir=/etc/pki/nssdb/ -S ssl-verify=ignore -s "$SUBJECT" $USEREMAILExpected behavior
Notifications should be able to be sent out.
Your Environment
Version used (
icinga2 --version):icinga2 - The Icinga 2 network monitoring daemon (version: 2.11.2-1)
System information:
Platform: CentOS Linux
Platform version: 7 (Core)
Kernel: Linux
Kernel version: 3.10.0-1062.9.1.el7.x86_64
Architecture: x86_64
Build information:
Compiler: GNU 4.8.5
Build host: runner-LTrJQZ9N-project-322-concurrent-0
Application information:
General paths:
Config directory: /etc/icinga2
Data directory: /var/lib/icinga2
Log directory: /var/log/icinga2
Cache directory: /var/cache/icinga2
Spool directory: /var/spool/icinga2
Run directory: /run/icinga2
Old paths (deprecated):
Installation root: /usr
Sysconf directory: /etc
Run directory (base): /run
Local state directory: /var
Internal paths:
Package data directory: /usr/share/icinga2
State path: /var/lib/icinga2/icinga2.state
Modified attributes path: /var/lib/icinga2/modified-attributes.conf
Objects path: /var/cache/icinga2/icinga2.debug
Vars path: /var/cache/icinga2/icinga2.vars
PID path: /run/icinga2/icinga2.pid
yum list installed | grep icinga
icinga-rpm-release.noarch 7-4.el7.icinga @icinga-stable-release
icinga2.x86_64 2.11.2-1.el7.icinga @icinga-stable-release
icinga2-bin.x86_64 2.11.2-1.el7.icinga @icinga-stable-release
icinga2-common.x86_64 2.11.2-1.el7.icinga @icinga-stable-release
icinga2-ido-mysql.x86_64 2.11.2-1.el7.icinga @icinga-stable-release
icinga2-selinux.x86_64 2.11.2-1.el7.icinga @icinga-stable-release
icingacli.noarch 2.7.3-1.el7.icinga @icinga-stable-release
icingaweb2.noarch 2.7.3-1.el7.icinga @icinga-stable-release
icingaweb2-common.noarch 2.7.3-1.el7.icinga @icinga-stable-release
icingaweb2-selinux.noarch 2.7.3-1.el7.icinga @icinga-stable-release
icingaweb2-vendor-HTMLPurifier.noarch
1:2.7.3-1.el7.icinga @icinga-stable-release
icingaweb2-vendor-JShrink.noarch 2.7.3-1.el7.icinga @icinga-stable-release
icingaweb2-vendor-Parsedown.noarch
2.7.3-1.el7.icinga @icinga-stable-release
icingaweb2-vendor-dompdf.noarch 2.7.3-1.el7.icinga @icinga-stable-release
icingaweb2-vendor-lessphp.noarch 2.7.3-1.el7.icinga @icinga-stable-release
icingaweb2-vendor-zf1.noarch 2.7.3-1.el7.icinga @icinga-stable-release
php-Icinga.noarch 2.7.3-1.el7.icinga @icinga-stable-release
vim-icinga2.x86_64 2.11.2-1.el7.icinga @icinga-stable-release
Operating System and version:
Centos7
Linux *** 3.10.0-1062.9.1.el7.x86_64 Add notes about certificate permission #1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
SELinux Enforcing
Enabled features (
icinga2 feature list):Disabled features: command compatlog debuglog elasticsearch gelf graphite influxdb livestatus opentsdb perfdata statusdata syslog
Enabled features: api checker ido-mysql mainlog notification
Icinga Web 2 version and modules (System - About):
2.7.3
Git commit
06cabfe8ba28cf545a42c92f25484383191a4e51
PHP Version
7.1.30
Git commit date
2019-10-18
Modules:
director | 1.7.2
doc | 2.7.3
incubator | 0.5.0
ipl | v0.4.0
monitoring | 2.7.3
reactbundle | 0.7.0
vsphere | 1.1.0
Config validation (
icinga2 daemon -C):[2020-01-03 09:20:36 +0100] information/cli: Icinga application loader (version: 2.11.2-1)
[2020-01-03 09:20:36 +0100] information/cli: Loading configuration file(s).
[2020-01-03 09:20:36 +0100] information/ConfigItem: Committing config item(s).
[2020-01-03 09:20:36 +0100] information/ApiListener: My API identity: srv-l-mon-00.lh.local
[2020-01-03 09:20:37 +0100] warning/ApplyRule: Apply rule 'agent-health-check' (in /etc/icinga2/conf.d/cluster.conf: 28:1-28:48) for type 'Dependency' does not match anywhere!
[2020-01-03 09:20:37 +0100] warning/ApplyRule: Apply rule 'agent-health' (in /etc/icinga2/conf.d/cluster.conf: 16:1-16:28) for type 'Service' does not match anywhere!
[2020-01-03 09:20:37 +0100] warning/ApplyRule: Apply rule 'disk' (in /var/lib/icinga2/api/packages/director/9e25b7db-bc64-44c2-9ab3-4a14b9be9eec/zones.d/director-global/servicesets.conf: 93:1-93:20) for type 'Service' does not match anywhere!
[2020-01-03 09:20:37 +0100] warning/ApplyRule: Apply rule 'load' (in /var/lib/icinga2/api/packages/director/9e25b7db-bc64-44c2-9ab3-4a14b9be9eec/zones.d/director-global/servicesets.conf: 101:1-101:20) for type 'Service' does not match anywhere!
[2020-01-03 09:20:37 +0100] warning/ApplyRule: Apply rule 'mem' (in /var/lib/icinga2/api/packages/director/9e25b7db-bc64-44c2-9ab3-4a14b9be9eec/zones.d/director-global/servicesets.conf: 109:1-109:19) for type 'Service' does not match anywhere!
[2020-01-03 09:20:37 +0100] warning/ApplyRule: Apply rule 'interfaces' (in /var/lib/icinga2/api/packages/director/9e25b7db-bc64-44c2-9ab3-4a14b9be9eec/zones.d/director-global/servicesets.conf: 117:1-117:26) for type 'Service' does not match anywhere!
[2020-01-03 09:20:37 +0100] warning/ApplyRule: Apply rule 'ping' (in /var/lib/icinga2/api/packages/director/9e25b7db-bc64-44c2-9ab3-4a14b9be9eec/zones.d/director-global/servicesets.conf: 125:1-125:20) for type 'Service' does not match anywhere!
[2020-01-03 09:20:37 +0100] warning/ApplyRule: Apply rule 'procs' (in /var/lib/icinga2/api/packages/director/9e25b7db-bc64-44c2-9ab3-4a14b9be9eec/zones.d/director-global/servicesets.conf: 133:1-133:21) for type 'Service' does not match anywhere!
[2020-01-03 09:20:37 +0100] warning/ApplyRule: Apply rule 'uptime' (in /var/lib/icinga2/api/packages/director/9e25b7db-bc64-44c2-9ab3-4a14b9be9eec/zones.d/director-global/servicesets.conf: 141:1-141:22) for type 'Service' does not match anywhere!
[2020-01-03 09:20:37 +0100] warning/ApplyRule: Apply rule 'users' (in /var/lib/icinga2/api/packages/director/9e25b7db-bc64-44c2-9ab3-4a14b9be9eec/zones.d/director-global/servicesets.conf: 149:1-149:21) for type 'Service' does not match anywhere!
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 1 ScheduledDowntime.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 1 FileLogger.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 2 NotificationCommands.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 1 NotificationComponent.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 2702 Notifications.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 1 IcingaApplication.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 11 HostGroups.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 114 Hosts.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 13 Downtimes.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 1 CheckerComponent.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 115 Zones.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 113 Endpoints.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 1 ApiUser.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 1 UserGroup.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 1 ApiListener.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 1 IdoMysqlConnection.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 235 CheckCommands.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 3 TimePeriods.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 3 Users.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 1237 Services.
[2020-01-03 09:20:37 +0100] information/ConfigItem: Instantiated 3 ServiceGroups.
[2020-01-03 09:20:37 +0100] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars'
[2020-01-03 09:20:37 +0100] information/cli: Finished validating the configuration file(s).
The following is logged by auditd:
audit.log
Workaround:
Set "nagios_notification_plugin_t" to permissive:
$ sudo semanage permissive -a nagios_notification_plugin_t
The text was updated successfully, but these errors were encountered: