Icinga 2 SELinux policy looking for testers

selinux-penguin-125
After discussing with Michael at FOSDEM about confining Icinga 2 with its own SELinux policy I took over this task. After two months of hard work it’s looking good and requires your test feedback.
 

Who?

The main target is creating a policy package for Red Hat Enterprise Linux 7 and its derivates, so if you are running one of those with SELinux enabled, consider yourself invited. If you are running a different operating system with SELinux enabled and you want to give the policy a try you are  of course welcome too.

Test – but what?

Simply follow the installation instructions to install the SELinux policy package and run Icinga 2 like normal. It does not matter if you are running a small setup or a complex environment – every little feedback counts and will help making the policy ready for production. Also please verify and report everything working as expected. If the documentation is unclear, let us know with in detail and best with your proposals. Add all the feedback to the feature request which tracks the development.

More?

SELinux Coloring Book

Want to know more about before getting your hands dirty on testing? The documentation contains links to the SELinux FAQ, the Red Hat Enterprise Linux 7 – SELinux User’s and Administrator’s Guide and perhaps the best resource the SELinux Coloring Book for those starting with SELinux. The documentation should explain the SELinux policy package which confines the Icinga 2 daemon and also allows to confine an administrative account for only managing Icinga 2.

Why?

Why should you care about SELinux? Simply because it adds an additional layer of security which mitigates the impact of vulnerabilities. For example, not to long ago and perhaps well remembered have a look at Dan Walsh analyse of shellshock.

Next steps

Collecting your feedback and improving the policy and its documentation comes first. After that the RPM spec file will be modified providing the policy as separate package, ensuring that the final installation will be easy as pie. Once everything is reviewed, the development branch will be merged targeting Icinga 2 version 2.4.
Fedora and EPEL packagers may then start their review requests in order to bring Icinga 2 into their repositories.
Similar to the process of enabling Icinga 2 with SELinux, there’s more to do with Icinga Web 2 once it is released in its stable version.
Last but not least all the created policies should qualify for the upstream reference policy which means no extra installation packages required.
 
For a German version of this post have a look at the Netways blog.

Icinga reaches Debian

It’s been a while since Christoph Maser joined Team Icinga sharing his knowledge about creating RPMs. Those packages can be found in RPMForge 🙂
There were a lot of questions about getting Debian packages for Icinga and finally, we are happy to welcome Alexander Wirt onto Team Icinga!
He is Debian packager for Nagios and now Icinga and did a really great job to bring fresh Icinga Debian packages to the upstream.
Currently, Debian lenny, sid/squeeze and Ubuntu Karmic are supported. They can be found here – please check it out and tell us about it!
Take a look at README.Debian after installing IDOUtils and make sure to enable the Event Broker Module in icinga.cfg – patching configs during package install is against packaging policy. But again, we are already working on a satisfying solution for that – check #162.
Icinga’s journey is not ending – are you working on BSD ports or any other applicable operating systems repository? Then please contact us and we will make sure to enlighten the path together for Icinga 🙂
Update 2010-04-09: Icinga got accepted in Debian sidhttp://packages.debian.org/sid/icinga – fire up apt and enjoy =)