From 5e109b869bb5bc0b05c5b913fc038f70f0d6aefd Mon Sep 17 00:00:00 2001
From: Yonas Habteab <yonas.habteab@icinga.com>
Date: Mon, 3 Nov 2025 17:24:54 +0100
Subject: [PATCH] SELinux: allow `logrotate` to execute `icinga2` binary

---
 tools/selinux/icinga2.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tools/selinux/icinga2.te b/tools/selinux/icinga2.te
index 0f50908da..c8fe4ef07 100644
--- a/tools/selinux/icinga2.te
+++ b/tools/selinux/icinga2.te
@@ -242,7 +242,18 @@ optional_policy(`
     ')
 ')
 
+########################################
+#
+# Logrotate
+#
 
+# Allow logrotate to execute the Icinga 2 binary for sending USR1 signal to reopen log files.
+optional_policy(`
+    require {
+        type logrotate_t;
+    }
+	can_exec(logrotate_t, icinga2_exec_t)
+')
 
 ########################################
 #