[Xymon] First time installed, and set up xymon, failed, NEED helps please.

Kern Doe kern_doe at yahoo.com
Thu Sep 28 16:27:32 CEST 2017

Thank you Ed, I will document this! (without EOF :)    Let's go GreenThis email contains 100% recycled electrons.

      From: "EDSchminke at Hormel.com" <EDSchminke at Hormel.com>
 To: xymon at xymon.com; kern_doe at yahoo.com 
 Sent: Thursday, September 28, 2017 10:00 AM
 Subject: Re: [Xymon] First time installed, and set up xymon, failed, NEED helps please.

*****PLEASE***** do NOT leave SELinux in permissive mode.  (

I have beat SELinux into submission to make Xymon work the way I need it
to.  You can do the same by following my procedure below, or from watching
Thomas Cameron's lecture from RedHat Summit a couple years ago "SELinux For
Mere Mortals" (https://www.youtube.com/watch?v=cNoVgDqqJmM)  I built mine
from the tips given in this video.

As root:
#> setsebool -P httpd_enable_homedirs on
#> setsebool -P httpd_read_user_content on

A few things can't be done for Xymon by simply changing SELinux booleans.
I've curated a number of SELinux policy exceptions over the past couple
years in order to make Xymon and SELinux play nice together.  You can
create yours by doing this:

## vvvvvv ---- copy everything below this line ---- vvvvvv ##
module xymon 1.0;

require {
    type unconfined_t;
    type var_log_t;
    type initrc_t;
    type admin_home_t;
    type httpd_t;
    type user_home_t;
    type fonts_cache_t;
    type port_t;
    class tcp_socket name_connect;
    class file { rename execute setattr read create execute_no_trans
write getattr unlink open };
    class sock_file write;
    class lnk_file { create unlink };
    class unix_dgram_socket sendto;
    class dir { write rmdir setattr remove_name create add_name };

#============= httpd_t ==============
allow httpd_t admin_home_t:file { read getattr open };
allow httpd_t fonts_cache_t:dir setattr;
allow httpd_t initrc_t:unix_dgram_socket sendto;
allow httpd_t port_t:tcp_socket name_connect;
allow httpd_t unconfined_t:unix_dgram_socket sendto;
allow httpd_t user_home_t:dir rmdir;
allow httpd_t user_home_t:dir { write remove_name create add_name };
allow httpd_t user_home_t:file setattr;
allow httpd_t user_home_t:file { rename write execute create unlink
execute_no_trans };
allow httpd_t user_home_t:lnk_file { create unlink };
allow httpd_t user_home_t:sock_file write;
allow httpd_t var_log_t:file read;
## ^^^^^ ---- to everything above this line ---- ^^^^^^ ##

Paste what you've copied into a file-- doesn't matter where; I've used the
name "xymon.te"
#> vi xymon.te

Run the following commands to build the SELinux policy module:
#> checkmodule -M -m -o xymon.mod xymon.te
#> semodule_package -m xymon.mod -o xymon.pp

Run this command to install the policy module.
#> semodule -i xymon.pp

Change your /etc/sysconfig/selinux back to "enforcing".

If you see any funkiness, watch /var/log/audit/audit.log for AVC denials.

#> grep type=AVC /var/log/audit/audit.log | grep denied

If you see anything in there, it means it's time to "build a policy
exception" not "disable SELinux".


Everyone was right on followings:
    added this line at the bottom of file /etc/httpd/conf/httpd.conf:
        include /home/xymon/server/etc/xymon-apache.conf

and Paul Root was right about Selinux, so I did:

    modified file /etc/sysconfig/selinux
        #SELINUX=enforcing      KERN testing ....

it works now!!!
Thank you!!!I can go home and feel good, will do more learning tomorrow :)
    Let's go GreenThis email contains 100% recycled electrons.

Erik D. Schminke | Associate Systems Programmer
Hormel Foods Corporation | One Hormel Place | Austin, MN 55912
Phone: (507) 434-6817

edschminke at hormel.com | www.hormelfoods.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20170928/5b69975a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: datauri-file.png
Type: image/png
Size: 628 bytes
Desc: not available
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20170928/5b69975a/attachment.png>

More information about the Xymon mailing list