Skip to content

SELinux: Allow Icinga 2 to send SIGTERM signal to nagios plugins#10535

Merged
yhabteab merged 1 commit intoIcinga:masterfrom
ETES-Stuttgart:patch-1
Jan 23, 2026
Merged

SELinux: Allow Icinga 2 to send SIGTERM signal to nagios plugins#10535
yhabteab merged 1 commit intoIcinga:masterfrom
ETES-Stuttgart:patch-1

Conversation

@ETES-Stuttgart
Copy link
Copy Markdown
Contributor

@ETES-Stuttgart ETES-Stuttgart commented Aug 13, 2025

It may happen that a check runs for too long and then needs to be terminated by Icinga. To do this, Icinga must send a kill signal to the check. However, this is not permitted by the current SELinux policy.

@cla-bot

This comment was marked as resolved.

Sign in to view
@bobapple
Copy link
Copy Markdown
Member

bobapple commented Jan 15, 2026

@cla-bot check

@cla-bot

This comment was marked as resolved.

Sign in to view
@bobapple
Copy link
Copy Markdown
Member

bobapple commented Jan 15, 2026

@cla-bot check

@cla-bot cla-bot bot added the cla/signed label Jan 15, 2026
yhabteab
yhabteab reviewed Jan 16, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@yhabteab yhabteab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @ETES-Stuttgart, thanks for your contribution!

However, Icinga 2 should still be able to send SIGKILL signals even without the changes made in this PR. This privilege is granted by the following interface...

icinga2/tools/selinux/icinga2.if

Lines 361 to 368 in 3591ca4

interface(`icinga2_execstrans',`
gen_require(`
type icinga2_t;
')
domtrans_pattern(icinga2_t, $1, $2)
allow icinga2_t $2:process sigkill;
')

...which is used in the type enforcement file here:

icinga2/tools/selinux/icinga2.te

Lines 155 to 162 in 3591ca4

icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t)
icinga2_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
icinga2_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t)
icinga2_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t)
icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)

So even without the changes in this PR, Icinga 2 should still have the necessary permissions to send SIGKILL signals to the plugins it executes. Can you please share the SELinux denial messages this PR is intended to address? Even though the PR title suggests it's about allowing SIGKILL, the actual changes you made seem to grant full signal sending capabilities, so maybe there's a different signal involved in the denials you're encountering.

@ETES-Stuttgart
Copy link
Copy Markdown
Contributor Author

ETES-Stuttgart commented Jan 21, 2026

Hi @yhabteab,
thanks for your information.

We see the following audit message on the servers:

type=AVC msg=audit(1765058560.398:86923): avc:  denied  { signal } for  pid=1389356 comm="icinga2" scontext=system_u:system_r:icinga2_t:s0 tcontext=system_u:system_r:nagios_unconfined_plugin_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1765058560.398:86923): arch=x86_64 syscall=kill success=no exit=EACCES a0=372445 a1=f a2=0 a3=7f96775b7000 items=0 ppid=1389343 pid=1389356 auid=4294967295 uid=992 gid=988 euid=992 suid=992 fsuid=992 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm=icinga2 exe=/usr/lib64/icinga2/sbin/icinga2 subj=system_u:system_r:icinga2_t:s0 key=(null)

@yhabteab yhabteab added this to the 2.16.0 milestone Jan 22, 2026
@yhabteab yhabteab added bug Something isn't working consider backporting Should be considered for inclusion in a bugfix release labels Jan 22, 2026
@yhabteab
Copy link
Copy Markdown
Member

yhabteab commented Jan 22, 2026
edited
Loading

Thanks for sharing!

That AVC denial message indeed indicates that the icinga2 process is being denied permission to send the SIGTERM (SIGTERM because the denial message shows a1=f, which corresponds to signal number 15, SIGTERM) signal. I wasn't aware that we even send SIGTERM in case of a check timeout (thanks @dgoetz for finding this out), but apparently we do since #7918. I was bit puzzled by the denial since @dgoetz already fixed a similar issue in #5982 years ago, but at that time Icinga 2 didn't send SIGTERM to plugins, but SIGKILL. So, this is indeed a new denial that needs to be addressed.

Can you please fix the icinga2_execstrans interface instead though? It's used with way more more domains than the ones covered by your changes, so this signal permission should be added there as well to be consistent with the SIGKILL permission that is already present.

@dgoetz
Copy link
Copy Markdown
Contributor

dgoetz commented Jan 22, 2026

To summarize what @yhabteab wrote, I would recommend changing:

allow icinga2_t $2:process sigkill;

to:

allow icinga2_t $2:process { signal sigkill };

in icinga2.if.

@cla-bot

This comment was marked as resolved.

Sign in to view
@cla-bot cla-bot bot removed the cla/signed label Jan 23, 2026
@cla-bot cla-bot bot added the cla/signed label Jan 23, 2026
@ETES-Stuttgart
Copy link
Copy Markdown
Contributor Author

ETES-Stuttgart commented Jan 23, 2026

@yhabteab Thank you very much for the detailed explanation. I only looked at the low-hanging fruit.
@dgoetz I also think that it is better implemented this way.

@yhabteab yhabteab changed the title Allow Icinga to send (kill-) signal to nagios plugins in SELinux Policy SELinux: Allow Icinga 2 to send SIGTERM signal to nagios plugins Jan 23, 2026
@yhabteab
Copy link
Copy Markdown
Member

yhabteab commented Jan 23, 2026

Ah, sorry! Missed to point that out yesterday. Can you please add yourself to the AUTHORS file to make the GitHub Action happy? Just follow the existing format and sort alphabetically. Thanks!

@ETES-Stuttgart
Copy link
Copy Markdown
Contributor Author

ETES-Stuttgart commented Jan 23, 2026

I hope I've got everything now. Thank you for your patience.

@yhabteab
Copy link
Copy Markdown
Member

yhabteab commented Jan 23, 2026

I hope I've got everything now. Thank you for your patience.

No problem, looks fine now. Thanks!

@yhabteab yhabteab added backport-to-support/2.15 PRs with this label will automatically be backported to the v2.15 support branch. and removed consider backporting Should be considered for inclusion in a bugfix release labels Jan 23, 2026
@yhabteab yhabteab enabled auto-merge January 23, 2026 12:16
@yhabteab yhabteab merged commit 832ecae into Icinga:master Jan 23, 2026
29 checks passed
@backbot-ci
Copy link
Copy Markdown

backbot-ci bot commented Jan 23, 2026

Backport failed for support/2.15, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin support/2.15
git worktree add -d .worktree/backport-10535-to-support/2.15 origin/support/2.15
cd .worktree/backport-10535-to-support/2.15
git switch --create backport-10535-to-support/2.15
git cherry-pick -x e4b887b5b67aab9e81fe7d57403b26d99fde331c

@yhabteab yhabteab mentioned this pull request Jan 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yhabteab yhabteab yhabteab approved these changes

Assignees

No one assigned

Labels

backport-to-support/2.15 PRs with this label will automatically be backported to the v2.15 support branch. bug Something isn't working cla/signed

Projects

None yet

Milestone

2.16.0

Development

Successfully merging this pull request may close these issues.

4 participants

@ETES-Stuttgart @bobapple @yhabteab @dgoetz