Hiccups while installing icingaweb2 on RHEL 8.4

Configuring firewall is required as described here

firewall-cmd --add-service=http
firewall-cmd --permanent --add-service=http

but it is not mentioned here.

Icingaweb2’s setup reports this error:

The directory /etc/icingaweb2 is not writable.

However :

  • httpd is running as user apache
  • user apache is member of group icingaweb2
  • /etc/icingaweb2/ is owned by group icingaweb2
ll /etc/icingaweb2/
total 4
drwxrws---. 4 root icingaweb2 38 May 28 14:55 modules
-rw-rw----. 1 root icingaweb2 16 May 28 15:12 setup.token

Any idea what’s wrong?

Well, we don’t mention that a network connection is required either. Sorry, but this is out of scope for such a installation documentation. It’s not a guide.

Sounds like a systemd issue.

Hi @rsx

Did you check selinux status?

This does not work for me. #207 does not help either.

In /var/log/messages I find

May 31 12:17:30 monitoring setroubleshoot[2464]: SELinux is preventing /usr/sbin/php-fpm from write access on the directory /etc/icingaweb2.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow php-fpm to have write access on the icingaweb2 directory
Then you need to change the label on /etc/icingaweb2
# semanage fcontext -a -t FILE_TYPE '/etc/icingaweb2'
where FILE_TYPE is one of the following: abrt_retrace_spool_t, apcupsd_cgi_ra_content_t, apcupsd_cgi_rw_content_t, awstats_ra_content_t, awstats_rw_content_t, bugzilla_ra_content_t, bugzilla_rw_content_t, collectd_ra_content_t, collectd_rw_content_t, cvs_ra_content_t, cvs_rw_content_t, dirsrv_config_t, dirsrv_var_log_t, dirsrv_var_run_t, dirsrvadmin_config_t, dirsrvadmin_ra_content_t, dirsrvadmin_rw_content_t, dirsrvadmin_tmp_t, dspam_ra_content_t, dspam_rw_content_t, git_ra_content_t, git_rw_content_t, httpd_cache_t, httpd_log_t, httpd_squirrelmail_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_tmp_t, httpd_tmpfs_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_var_lib_t, httpd_var_run_t, jetty_cache_t, jetty_log_t, jetty_tmp_t, jetty_unit_file_t, jetty_var_lib_t, jetty_var_run_t, keystone_cgi_ra_content_t, keystone_cgi_rw_content_t, krb5_host_rcache_t, man2html_ra_content_t, man2html_rw_content_t, mediawiki_ra_content_t, mediawiki_rw_content_t, mediawiki_tmp_t, mirrormanager_var_run_t, mojomojo_ra_content_t, mojomojo_rw_content_t, munin_ra_content_t, munin_rw_content_t, mythtv_ra_content_t, mythtv_rw_content_t, nagios_ra_content_t, nagios_rw_content_t, nutups_cgi_ra_content_t, nutups_cgi_rw_content_t, openshift_ra_content_t, openshift_rw_content_t, passenger_tmp_t, passenger_var_run_t, pki_ra_etc_rw_t, pki_ra_log_t, pki_ra_var_lib_t, pki_tps_etc_rw_t, pki_tps_log_t, pki_tps_var_lib_t, prewikka_ra_content_t, prewikka_rw_content_t, smokeping_cgi_ra_content_t, smokeping_cgi_rw_content_t, squid_ra_content_t, squid_rw_content_t, squirrelmail_spool_t, systemd_passwd_var_run_t, tmp_t, tmpfs_t, user_tmp_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, w3c_validator_ra_content_t, w3c_validator_rw_content_t, webalizer_ra_content_t, webalizer_rw_content_t, zarafa_var_lib_t, zoneminder_ra_content_t, zoneminder_rw_content_t, zoneminder_var_lib_t.
Then execute:
restorecon -v '/etc/icingaweb2'

*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that php-fpm should be allowed write access on the icingaweb2 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp

It’s a selinux issue just like @sreekanth mentioned. There should be a package icingaweb2-selinux available to install that takes care of that.

Be sure to also check the official docs on this matter.