[Xymon] Dependencies for xymond and xymonnet (with particular reference to JC's terabithia.org RPMs)
J.C. Cleaver
cleaver at terabithia.org
Sat Mar 14 03:22:16 CET 2015
On Fri, March 13, 2015 2:51 am, SebA wrote:
>>
>> The semanage stuff from policycoreutils-python is SELinux.
>> Aside from the
>> error output, it should be safe to ignore that as well.
>
> The (mini-)server does have SELinux enabled and enforced though, so I
> assumed that I would need the tools the RPM wants for configuring
> everything
> correctly for SELinux?
Yeah, does sound like you'd had policycoreutils installed, but not
policycoreutils-python. For loadable policies modification, semanage
really is the tool most appropriate for the job. (I actually kind of find
it a little odd it's not in the base package, or @base package set.)
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html
>
>> Alas, you're correct in that yum will attempt to continue to pull in
>> dependencies when they're available, so you'll continue to get these
>> warnings.
>
> Actually, I hadn't considered that it might continue trying to get httpd
> et
> al whenever I do a yum update, but it does not seem to be doing it so far.
> I
> suppose it will if a new xymon package is available...
>
Correct. "yum check" might complain too about existing errors.
>> I'd given consideration to splitting things out into xymon-xymonnet,
>> xymon-proxy, xymon-server, xymon-xymongen and the like (in
>> fact, a really,
>> really old version of the RPM did just that), but it really
>> felt like more
>> complexity (and effort) than it was worth, especially since
>> the upstream
>> had had unified things together.
>>
>> If there's enough demand, I'm open to creating sub-packages
>> for it. But it
>> does rather significantly increase complexity for people
>> doing installs
>> since they have to think of the different components coming
>> in. The flip
>> side is that for cases such as yours, or in micro-sized
>> cloud/container
>> environments, you can install the base RPM and avoid bringing in other
>> dependencies.
>
> And for the security nuts who don't want things installed that they don't
> need.
Quite true.
To do this right will also mean breaking out the various utilities
(xymongen, xymonnet, xymonproxy, etc.) into their own tasks.d/ snippets
instead of the monolithic tasks.cfg given out now...
This is something that might be best done at a 4.4.x release, to help ease
transition pain.
> Only if it can still configure SELinux correctly using other methods?
> chcon
> was already installed and available (part of coreutils)... Otherwise I
> would
> rather know there was a problem.
Policy loading and context setting again really ought to be done with
semanage, otherwise you're not making a permanent change.
Regards,
-jc
More information about the Xymon
mailing list