[Xymon] First time installed, and set up xymon, failed, NEED helps please.
EDSchminke at Hormel.com
EDSchminke at Hormel.com
Thu Sep 28 16:00:27 CEST 2017
*****PLEASE***** do NOT leave SELinux in permissive mode. (
http://stopdisablingselinux.com/)
I have beat SELinux into submission to make Xymon work the way I need it
to. You can do the same by following my procedure below, or from watching
Thomas Cameron's lecture from RedHat Summit a couple years ago "SELinux For
Mere Mortals" (https://www.youtube.com/watch?v=cNoVgDqqJmM) I built mine
from the tips given in this video.
As root:
#> setsebool -P httpd_enable_homedirs on
#> setsebool -P httpd_read_user_content on
A few things can't be done for Xymon by simply changing SELinux booleans.
I've curated a number of SELinux policy exceptions over the past couple
years in order to make Xymon and SELinux play nice together. You can
create yours by doing this:
## vvvvvv ---- copy everything below this line ---- vvvvvv ##
module xymon 1.0;
require {
type unconfined_t;
type var_log_t;
type initrc_t;
type admin_home_t;
type httpd_t;
type user_home_t;
type fonts_cache_t;
type port_t;
class tcp_socket name_connect;
class file { rename execute setattr read create execute_no_trans
write getattr unlink open };
class sock_file write;
class lnk_file { create unlink };
class unix_dgram_socket sendto;
class dir { write rmdir setattr remove_name create add_name };
}
#============= httpd_t ==============
allow httpd_t admin_home_t:file { read getattr open };
allow httpd_t fonts_cache_t:dir setattr;
allow httpd_t initrc_t:unix_dgram_socket sendto;
allow httpd_t port_t:tcp_socket name_connect;
allow httpd_t unconfined_t:unix_dgram_socket sendto;
allow httpd_t user_home_t:dir rmdir;
allow httpd_t user_home_t:dir { write remove_name create add_name };
allow httpd_t user_home_t:file setattr;
allow httpd_t user_home_t:file { rename write execute create unlink
execute_no_trans };
allow httpd_t user_home_t:lnk_file { create unlink };
allow httpd_t user_home_t:sock_file write;
allow httpd_t var_log_t:file read;
EOF
## ^^^^^ ---- to everything above this line ---- ^^^^^^ ##
Paste what you've copied into a file-- doesn't matter where; I've used the
name "xymon.te"
#> vi xymon.te
Run the following commands to build the SELinux policy module:
#> checkmodule -M -m -o xymon.mod xymon.te
#> semodule_package -m xymon.mod -o xymon.pp
Run this command to install the policy module.
#> semodule -i xymon.pp
Change your /etc/sysconfig/selinux back to "enforcing".
Reboot.
If you see any funkiness, watch /var/log/audit/audit.log for AVC denials.
#> grep type=AVC /var/log/audit/audit.log | grep denied
If you see anything in there, it means it's time to "build a policy
exception" not "disable SELinux".
--------------------------------------------------------------------------------
Everyone was right on followings:
added this line at the bottom of file /etc/httpd/conf/httpd.conf:
include /home/xymon/server/etc/xymon-apache.conf
and Paul Root was right about Selinux, so I did:
modified file /etc/sysconfig/selinux
#SELINUX=enforcing KERN testing ....
SELINUX=permissive
rebooted.
it works now!!!
Thank you!!!I can go home and feel good, will do more learning tomorrow :)
Let's go GreenThis email contains 100% recycled electrons.
Erik D. Schminke | Associate Systems Programmer
Hormel Foods Corporation | One Hormel Place | Austin, MN 55912
Phone: (507) 434-6817
edschminke at hormel.com | www.hormelfoods.com
More information about the Xymon
mailing list