Icinga2: Can't send external Icinga command to the local command file "/var/run/icinga2/cmd/icinga2.cmd": Permission denied

RoyceTheBiker · April 10, 2019, 9:44pm

This was reported a few times in GitHub but no fix for my problem.

This is a CentOS6 install of Icinga version 2.10.4
The command feature is enabled and the socket file exists. Apache is a member of the icingacmd group and the permissions on the socket are rw- for icinga owner and icingacmd group. The directory is rwxr-s— (2750) and the group is icingacmd. I am not getting any violations in seLinux, it is enabled.

[root@Icinga2 ~]# icinga2 object list --type ExternalCommandListener
Object ‘command’ of type ‘ExternalCommandListener’:
% declared in ‘/etc/icinga2/features-enabled/command.conf’, lines 6:1-6:40

__name = “command”

command_path = “/var/run/icinga2/cmd/icinga2.cmd”

name = “command”

package = “_etc”

source_location

first_column = 1

first_line = 6

last_column = 40

last_line = 6

path = “/etc/icinga2/features-enabled/command.conf”

templates = [ “command” ]
% = modified in ‘/etc/icinga2/features-enabled/command.conf’, lines 6:1-6:40

type = “ExternalCommandListener”

zone = “”

RoyceTheBiker · April 10, 2019, 9:56pm

I changed seLinux to permissive and rebooted. Now I am seeing violations in the audit log.

yum is not able to find icinga2-selinux. Is that name of the package for CentOS 7? Is there one for CentOS 6?

RoyceTheBiker · April 10, 2019, 10:25pm

Used audit2allow to create a rule module.

log1c · April 11, 2019, 6:20am

Why not switch to the icinga2 API for command transport, as recommended by the docs?
https://icinga.com/docs/icingaweb2/latest/modules/monitoring/doc/05-Command-Transports/#use-the-icinga-2-api

dnsmichi · April 11, 2019, 8:41am

That’s a good idea, since the external command pipe will be deprecated with 2.11. This one sources from the 1.x world and the many problems with file permissions and what not. Btw - the command pipe has no error feedback, in contrast to the REST API.

Cheers,
Michael

mvrgotix · March 31, 2020, 12:02pm

Hi all,

Just joined the community recently.
I had same problem, even with icinga2-selinux, policyutils-python and selinux packages all properly installed.

Decided to switch to API and it works flawlessly.

Cheers,
Marko

mvrgotix · March 31, 2020, 12:06pm

Hi Michael,

Not sure if I am reading your message correctly, but external command pipe still exists in 2.11 icinga2. To add to it, the icinga2-selinux package is also there and part of Install/Configure docs for Icinga2, including option of command pipeline, configured as default.

Can you please provide some details or clarification, in case I misunderstood?

All best,
Marko