After discussing with Michael at FOSDEM about confining Icinga 2 with its own SELinux policy I took over this task. After two months of hard work it’s looking good and requires your test feedback.


The main target is creating a policy package for Red Hat Enterprise Linux 7 and its derivates, so if you are running one of those with SELinux enabled, consider yourself invited. If you are running a different operating system with SELinux enabled and you want to give the policy a try you are  of course welcome too.

Test – but what?

Simply follow the installation instructions to install the SELinux policy package and run Icinga 2 like normal. It does not matter if you are running a small setup or a complex environment – every little feedback counts and will help making the policy ready for production. Also please verify and report everything working as expected. If the documentation is unclear, let us know with in detail and best with your proposals. Add all the feedback to the feature request which tracks the development.


SELinux Coloring Book

Want to know more about before getting your hands dirty on testing? The documentation contains links to the SELinux FAQ, the Red Hat Enterprise Linux 7 – SELinux User’s and Administrator’s Guide and perhaps the best resource the SELinux Coloring Book for those starting with SELinux. The documentation should explain the SELinux policy package which confines the Icinga 2 daemon and also allows to confine an administrative account for only managing Icinga 2.


Why should you care about SELinux? Simply because it adds an additional layer of security which mitigates the impact of vulnerabilities. For example, not to long ago and perhaps well remembered have a look at Dan Walsh analyse of shellshock.

Next steps

Collecting your feedback and improving the policy and its documentation comes first. After that the RPM spec file will be modified providing the policy as separate package, ensuring that the final installation will be easy as pie. Once everything is reviewed, the development branch will be merged targeting Icinga 2 version 2.4.
Fedora and EPEL packagers may then start their review requests in order to bring Icinga 2 into their repositories.
Similar to the process of enabling Icinga 2 with SELinux, there’s more to do with Icinga Web 2 once it is released in its stable version.
Last but not least all the created policies should qualify for the upstream reference policy which means no extra installation packages required.
For a German version of this post have a look at the Netways blog.