Thank you Ed, I will document this! (without EOF :) Let's go GreenThis email contains 100% recycled electrons.
From: "EDSchminke at Hormel.com" <EDSchminke at Hormel.com>To: xymon at xymon.com; kern_doe at yahoo.com Sent: Thursday, September 28, 2017 10:00 AM Subject: Re: [Xymon] First time installed, and set up xymon, failed, NEED helps please.
*****PLEASE***** do NOT leave SELinux in permissive mode. ( http://stopdisablingselinux.com/)
I have beat SELinux into submission to make Xymon work the way I need it to. You can do the same by following my procedure below, or from watching Thomas Cameron's lecture from RedHat Summit a couple years ago "SELinux For Mere Mortals" (https://www.youtube.com/watch?v=cNoVgDqqJmM) I built mine from the tips given in this video.
As root: #> setsebool -P httpd_enable_homedirs on #> setsebool -P httpd_read_user_content on
A few things can't be done for Xymon by simply changing SELinux booleans. I've curated a number of SELinux policy exceptions over the past couple years in order to make Xymon and SELinux play nice together. You can create yours by doing this:
vvvvvv ---- copy everything below this line ---- vvvvvv
module xymon 1.0;
require { type unconfined_t; type var_log_t; type initrc_t; type admin_home_t; type httpd_t; type user_home_t; type fonts_cache_t; type port_t; class tcp_socket name_connect; class file { rename execute setattr read create execute_no_trans write getattr unlink open }; class sock_file write; class lnk_file { create unlink }; class unix_dgram_socket sendto; class dir { write rmdir setattr remove_name create add_name }; }
#============= httpd_t ============== allow httpd_t admin_home_t:file { read getattr open }; allow httpd_t fonts_cache_t:dir setattr; allow httpd_t initrc_t:unix_dgram_socket sendto; allow httpd_t port_t:tcp_socket name_connect; allow httpd_t unconfined_t:unix_dgram_socket sendto; allow httpd_t user_home_t:dir rmdir; allow httpd_t user_home_t:dir { write remove_name create add_name }; allow httpd_t user_home_t:file setattr; allow httpd_t user_home_t:file { rename write execute create unlink execute_no_trans }; allow httpd_t user_home_t:lnk_file { create unlink }; allow httpd_t user_home_t:sock_file write; allow httpd_t var_log_t:file read; EOF
^^^^^ ---- to everything above this line ---- ^^^^^^
Paste what you've copied into a file-- doesn't matter where; I've used the name "xymon.te" #> vi xymon.te
Run the following commands to build the SELinux policy module: #> checkmodule -M -m -o xymon.mod xymon.te #> semodule_package -m xymon.mod -o xymon.pp
Run this command to install the policy module. #> semodule -i xymon.pp
Change your /etc/sysconfig/selinux back to "enforcing". Reboot.
If you see any funkiness, watch /var/log/audit/audit.log for AVC denials.
#> grep type=AVC /var/log/audit/audit.log | grep denied
If you see anything in there, it means it's time to "build a policy exception" not "disable SELinux".
Everyone was right on followings: added this line at the bottom of file /etc/httpd/conf/httpd.conf: include /home/xymon/server/etc/xymon-apache.conf
and Paul Root was right about Selinux, so I did:
modified file /etc/sysconfig/selinux #SELINUX=enforcing KERN testing .... SELINUX=permissive rebooted.
it works now!!! Thank you!!!I can go home and feel good, will do more learning tomorrow :) Let's go GreenThis email contains 100% recycled electrons.
Erik D. Schminke | Associate Systems Programmer Hormel Foods Corporation | One Hormel Place | Austin, MN 55912 Phone: (507) 434-6817
edschminke at hormel.com | www.hormelfoods.com