Problems with open_basedir & selinux when using custom dashboards


We are starting our transition to icinga2 from nagios. As we use chef, im working o our deployment on a staging environment and making base configuration of icinga2 and icingaweb2.

We mind about security and use open_basedir restrictions in our php-fpm server and selinux also.

When i first test to create a custom dashboard, server says:

is_dir(): open_basedir restriction in effect. File(/etc/) is not within the allowed path(s): (/var/www/html:/var/log/icingaweb2:/usr/share/icingaweb2/:/usr/share/php/:/etc/icingaweb2/:/opt/rh/rh-php71:/tmp/)

Note we have included /etc/icingaweb2 on our open_basedir restriction, but icinga for some reason php is asking about /etc/, supouse we add /etc which is not much secure for us, but then selinux complains about bad label on that path, and grep on /var/log/audit:

grep denied /var/log/audit/audit.log|audit2allow

#============= httpd_t ==============

#!!!! WARNING: 'etc_t' is a base type.
allow httpd_t etc_t:dir write;


  • ¿Why writting on /etc/ on a webapp? ¿shouldnt be better to keep http written files over share dir /usr/share/icingaweb2?
  • ¿Can we change default dashboards path on icingaweb2 config? (didnt found anything)


supposedly is_dir needs to open a path’s parent in order to do its job. For the default config directory /etc/icingaweb2 this is of course /etc.

You can change the config directory using the environment variable ICINGAWEB_CONFIGDIR.

1 Like

Finally added /etc/ to php settign: open_basedir. Also labeled /etc/icingaweb2/dashboards with httpd_sys_rw_content_t.


1 Like