Icinga2: Can't send external Icinga command to the local command file "/var/run/icinga2/cmd/icinga2.cmd": Permission denied

This was reported a few times in GitHub but no fix for my problem.

This is a CentOS6 install of Icinga version 2.10.4
The command feature is enabled and the socket file exists. Apache is a member of the icingacmd group and the permissions on the socket are rw- for icinga owner and icingacmd group. The directory is rwxr-s— (2750) and the group is icingacmd. I am not getting any violations in seLinux, it is enabled.

[root@Icinga2 ~]# icinga2 object list --type ExternalCommandListener
Object ‘command’ of type ‘ExternalCommandListener’:
% declared in ‘/etc/icinga2/features-enabled/command.conf’, lines 6:1-6:40

  • __name = “command”
  • command_path = “/var/run/icinga2/cmd/icinga2.cmd”
  • name = “command”
  • package = “_etc”
  • source_location
    • first_column = 1
    • first_line = 6
    • last_column = 40
    • last_line = 6
    • path = “/etc/icinga2/features-enabled/command.conf”
  • templates = [ “command” ]
    % = modified in ‘/etc/icinga2/features-enabled/command.conf’, lines 6:1-6:40
  • type = “ExternalCommandListener”
  • zone = “”

I changed seLinux to permissive and rebooted. Now I am seeing violations in the audit log.

yum is not able to find icinga2-selinux. Is that name of the package for CentOS 7? Is there one for CentOS 6?

Used audit2allow to create a rule module.

Why not switch to the icinga2 API for command transport, as recommended by the docs?
https://icinga.com/docs/icingaweb2/latest/modules/monitoring/doc/05-Command-Transports/#use-the-icinga-2-api

4 Likes

That’s a good idea, since the external command pipe will be deprecated with 2.11. This one sources from the 1.x world and the many problems with file permissions and what not. Btw - the command pipe has no error feedback, in contrast to the REST API.

Cheers,
Michael

1 Like

Hi all,

Just joined the community recently.
I had same problem, even with icinga2-selinux, policyutils-python and selinux packages all properly installed.

Decided to switch to API and it works flawlessly.

Cheers,
Marko

Hi Michael,

Not sure if I am reading your message correctly, but external command pipe still exists in 2.11 icinga2. To add to it, the icinga2-selinux package is also there and part of Install/Configure docs for Icinga2, including option of command pipeline, configured as default.

Can you please provide some details or clarification, in case I misunderstood?

All best,
Marko