[Xymon] SELinux and EL7/Fedora (was Re: error running report.sh)

J.C. Cleaver cleaver at terabithia.org
Thu Mar 17 15:41:17 CET 2016


No worries :)

This was an ugly one, but I think I've tracked down the issue. At some
point in a Fedora branch prior to the fork for EL7 'unconfined_execmem_t'
was removed.

I believe I've fixed the SELinux policy for this one. Would you be able to
try out the 4.3.26-3 set in
http://terabithia.org/rpms/xymon/testing/el7/x86_64/ ?

Please be sure SELinux is enabled (doesn't have to be Enforcing,
Permissive is fine... it just can't be disabled) prior to the update, and
then see if you still see the same errors with snapshoting when setenforce
is set to 1.

If so, can you see if both modules have been installed via 'semodule -l |
grep xymon'?


Regards,

-jc


On Tue, March 15, 2016 9:18 pm, Jason Brockdorf wrote:
> J.C. I really want to buy you beer.  I disabled SELinux and now it's
> working.
>
> [root at hhsiamxymon ~]# grep snapshot.cgi /var/log/audit/audit.logtype=AVC
> msg=audit(1458047063.222:1954): avc:  denied  { search } for  pid=17895
> comm="snapshot.cgi" name="xymon" dev="sda3" ino=2894713
> scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:httpd_cache_t:s0 tclass=dir
> type=SYSCALL msg=audit(1458047063.222:1954): arch=c000003e syscall=83
> success=no exit=-13 a0=7fff496ed810 a1=1ed a2=7fff496ed836 a3=7fff496ec3d0
> items=0 ppid=17723 pid=17895 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="snapshot.cgi" exe="/usr/libexec/xymon/snapshot.cgi"
> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
>
> [root at hhsiamxymon ~]# semodule -l | grep xymon
> xymon-client    4.3.26.1.el7
>
>
>       From: J.C. Cleaver <cleaver at terabithia.org>
>  To: Jason Brockdorf <apocalysque at yahoo.com>
> Cc: "xymon at xymon.com" <xymon at xymon.com>
>  Sent: Tuesday, March 15, 2016 10:38 PM
>  Subject: Re: error running report.sh
>
>
>
> On Tue, March 15, 2016 6:09 pm, Jason Brockdorf wrote:
>> I'm still working on setting up Xymon (from the terabithia RPMs) and my
>> manager tells me today that there's an error message when trying to run
>> reports, like the availability report, snapshot report, etc.
>> I'm getting an error message: Cannot create output directory
>> When examining the logs for more details I don't get a whole lot to go
>> on.
>>  I checked with both httpd and xymon logs and I didn't see anything
>> relevant to this problem.
>>
>> I'm really trying to help myself and not make my problems everyone
>> else's
>> problems, and I'd really like to contribute to the community in some
>> way,
>> so here's what I've done so far to try to fix it:
>> 1. going to the /var/cache/xymon/ directory and creating a rep
>> directory2.
>> giving rwxrwxrwx permissions to that directory
>> I then managed to download the srpms from terabithia, find the offending
>> file and examine the source to see what happens.
>> The XYMONREPDIR environment variable is used in creating the
>> directory
>> where the report will go, but I don't know:
>> 1. How to check which process is running the file that's encountering
>> the
>> problem (httpd or some xymon process)2. How to check for the presence or
>> value of this variable in the environment that process is using
>> So I decided to see if I could modify the source and make xymon give me
>> a
>> little more information.  The resultant patch file is attached,
>> though be
>> forewarned, my C experience is limited to a primer class I took as a
>> freshman in highschool and on top of not having that much knowledge in
>> the
>> first place, I'm very rusty.
>>
>>>From what I understand in the source there's not much error checking or
>>> information provided if it fails.  I do see:
>> envcheck(reqenv);
>> But this by itself doesn't prevent continued execution if say my
>> $XYMONREPDIR is not found.
>> Well, I added a line to report which directory xymon is attempting to
>> create, and another which should report the error message if the attempt
>> was unsuccessful.  I did manage to create the attached patch file,
>> but I
>> was unable to recompile using the srpm *sniffle* <-- I'm crying from
>> frustration at this point
>> So, I downloaded the source from sourceforge, replaced the report.c file
>> with the one I made, compiled using that, copied the report.sh file to a
>> working xymon server to try to test it... and I get internal server
>> error
>> :(
>> I then went back to test it on xymon compiled from sourceforge source,
>> and
>> I get an error that I don't have permission to access that directory.
>> *rips hair out*
>> Thus, it would seem that I am unable to reproduce the problem with
>> "stock"
>> xymon, and I'm apparently not bright enough to fix it with terabithia
>> srpms either.  At this point, I feel like I've put in enough effort
>> to
>> warrant asking for help.  Anyone, please help?
>
>
> Hi,
>
> This appears, from my testing, to be an SELinux issue -- although I'm
> still trying to debug precisely what is happening here on the EL7 side.
>
> A quick workaround would be to set SELinux to permissive ('setenforce 0')
> on the main server, which should let snapshoting/reporting work. It's
> definitely not a normal unix permissions/ownership issue.
>
>
> Can you check /var/log/audit/audit.log on your system and verify that
> snapshot.cgi is being denied? Also, can you post the output of `semodule
> -l | grep xymon`? If 'xymon' is not listed, can you try running:
>
> /usr/sbin/semodule -s targeted -i /usr/share/selinux/targeted/xymon.pp
>
> and post the result?
>
>
> Regards,
> -jc
>
>
>
>





More information about the Xymon mailing list