SELinux is preventing sh from read access on the file /usr/sbin/icinga2 (logrotate) #10616
Description
Updated to client r2.15.1-1 on my RHEL 8 & 9 servers and found the following error the next day.
SELinux is preventing sh from read access on the file /usr/sbin/icinga2.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that sh should be allowed read access on the icinga2 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sh' --raw | audit2allow -M my-sh
# semodule -X 300 -i my-sh.pp
Additional Information:
Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context system_u:object_r:icinga2_exec_t:s0
Target Objects /usr/sbin/icinga2 [ file ]
Source sh
Source Path sh
Port <Unknown>
Host prdacme
Source RPM Packages
Target RPM Packages icinga2-2.15.1-1.el8.x86_64
SELinux Policy RPM selinux-policy-targeted-3.14.3-139.el8_10.1.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-139.el8_10.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name prdacme
Platform Linux prdacme 4.18.0-553.80.1.el8_10.x86_64 #1 SMP
Fri Oct 10 03:51:59 EDT 2025 x86_64 x86_64
Alert Count 1
First Seen 2025-10-28 03:31:01 CET
Last Seen 2025-10-28 03:31:01 CET
Local ID b6a0f370-e107-4cf5-9321-e5aafe112aa8
Raw Audit Messages
type=AVC msg=audit(1761618661.91:17971): avc: denied { read } for pid=137463 comm="sh" name="icinga2" dev="dm-0" ino=302356 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:icinga2_exec_t:s0 tclass=file permissive=0
SELinux Bools on the server.
httpd_can_connect_icinga2_api --> on
httpd_can_write_icinga2_command --> on
icinga2_can_connect_all --> off
icinga2_run_sudo --> off
icinga2adm_exec_content --> on
Icinga Version
icinga2 - The Icinga 2 network monitoring daemon (version: r2.15.1-1)
Copyright (c) 2012-2025 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <https://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
System information:
Platform: Red Hat Enterprise Linux
Platform version: 8.10 (Ootpa)
Kernel: Linux
Kernel version: 4.18.0-553.80.1.el8_10.x86_64
Architecture: x86_64
Build information:
Compiler: GNU 8.5.0
Build host: unknown
OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
Application information:
General paths:
Config directory: /etc/icinga2
Data directory: /var/lib/icinga2
Log directory: /var/log/icinga2
Cache directory: /var/cache/icinga2
Spool directory: /var/spool/icinga2
Run directory: /run/icinga2
Old paths (deprecated):
Installation root: /usr
Sysconf directory: /etc
Run directory (base): /run
Local state directory: /var
Internal paths:
Package data directory: /usr/share/icinga2
State path: /var/lib/icinga2/icinga2.state
Modified attributes path: /var/lib/icinga2/modified-attributes.conf
Objects path: /var/cache/icinga2/icinga2.debug
Vars path: /var/cache/icinga2/icinga2.vars
PID path: /run/icinga2/icinga2.pid
Temporary workaround possible by changing the /usr/bin/icinga2 line with a systemctl restart in /etc/logrotate.d/icinga2