[Xymon] Conn test fails after server reboot - solved
John Horne
john.horne at plymouth.ac.uk
Tue Jul 17 13:58:13 CEST 2012
On Tue, 2012-07-17 at 03:51 -0700, cleaver at terabithia.org wrote:
>
> > On Thu, 2012-07-12 at 10:35 +0100, John Horne wrote:
> > Hello,
> >
> > Sorry, but this turned out to be an SELinux problem. 'fping' is denied
> > write access to files in the ~/server/tmp directory on the Xymon server.
> > However, fping records its results in that directory, and Xymon looks at
> > them to see if a client is alive or not. Since there were no results,
> > because of SELinux, Xymon figured that all the clients were down.
> >
> > I have created a local SELinux policy to allow writes for fping and that
> > seems to work. (I have rebooted the Xymon server and it didn't show any
> > red ping/conn tests.)
> >
> > The clients don't use 'fping' so they don't have this problem.
> >
> > Why did restarting the Xymon service (not the server) allow the tests to
> > turn green? Not sure.
> >
>
> SELinux policies distinguish between appending, writing, and seeking in
> many cases. I don't recall the details, but I remember needing to futz
> with different policies to figure out what was going on as well. Was
> anything interesting going on in the audit logs at the time?
>
Hi,
Nothing else was going on in the logs at the time that the fpings were
stopped. The log showed that it was a write denial:
=============================
type=AVC msg=audit(1342195229.681:349): avc: denied { write } for
pid=25973 comm="fping"
path="/home/xymon/server/tmp/ping-stderr.25955.00" dev=sdb1 ino=1587865
scontext=system_u:system_r:ping_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=file
=============================
Using audit2allow to create a policy allowing writes in 'tmp' solved the
problem.
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
More information about the Xymon
mailing list