[Xymon] Dependencies for xymond and xymonnet (with particular reference to JC's terabithia.org RPMs)

J.C. Cleaver cleaver at terabithia.org
Sat Mar 14 03:22:16 CET 2015


On Fri, March 13, 2015 2:51 am, SebA wrote:

>>
>> The semanage stuff from policycoreutils-python is SELinux.
>> Aside from the
>> error output, it should be safe to ignore that as well.
>
> The (mini-)server does have SELinux enabled and enforced though, so I
> assumed that I would need the tools the RPM wants for configuring
> everything
> correctly for SELinux?


Yeah, does sound like you'd had policycoreutils installed, but not
policycoreutils-python. For loadable policies modification, semanage
really is the tool most appropriate for the job. (I actually kind of find
it a little odd it's not in the base package, or @base package set.)

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html


>
>> Alas, you're correct in that yum will attempt to continue to pull in
>> dependencies when they're available, so you'll continue to get these
>> warnings.
>
> Actually, I hadn't considered that it might continue trying to get httpd
> et
> al whenever I do a yum update, but it does not seem to be doing it so far.
> I
> suppose it will if a new xymon package is available...
>

Correct. "yum check" might complain too about existing errors.



>> I'd given consideration to splitting things out into xymon-xymonnet,
>> xymon-proxy, xymon-server, xymon-xymongen and the like (in
>> fact, a really,
>> really old version of the RPM did just that), but it really
>> felt like more
>> complexity (and effort) than it was worth, especially since
>> the upstream
>> had had unified things together.
>>
>> If there's enough demand, I'm open to creating sub-packages
>> for it. But it
>> does rather significantly increase complexity for people
>> doing installs
>> since they have to think of the different components coming
>> in. The flip
>> side is that for cases such as yours, or in micro-sized
>> cloud/container
>> environments, you can install the base RPM and avoid bringing in other
>> dependencies.
>
> And for the security nuts who don't want things installed that they don't
> need.

Quite true.

To do this right will also mean breaking out the various utilities
(xymongen, xymonnet, xymonproxy, etc.) into their own tasks.d/ snippets
instead of the monolithic tasks.cfg given out now...

This is something that might be best done at a 4.4.x release, to help ease
transition pain.


> Only if it can still configure SELinux correctly using other methods?
> chcon
> was already installed and available (part of coreutils)... Otherwise I
> would
> rather know there was a problem.


Policy loading and context setting again really ought to be done with
semanage, otherwise you're not making a permanent change.


Regards,

-jc





More information about the Xymon mailing list