On Tue, 2012-07-17 at 03:51 -0700, cleaver at terabithia.org wrote:
On Thu, 2012-07-12 at 10:35 +0100, John Horne wrote: Hello,
Sorry, but this turned out to be an SELinux problem. 'fping' is denied write access to files in the ~/server/tmp directory on the Xymon server. However, fping records its results in that directory, and Xymon looks at them to see if a client is alive or not. Since there were no results, because of SELinux, Xymon figured that all the clients were down.
I have created a local SELinux policy to allow writes for fping and that seems to work. (I have rebooted the Xymon server and it didn't show any red ping/conn tests.)
The clients don't use 'fping' so they don't have this problem.
Why did restarting the Xymon service (not the server) allow the tests to turn green? Not sure.
SELinux policies distinguish between appending, writing, and seeking in many cases. I don't recall the details, but I remember needing to futz with different policies to figure out what was going on as well. Was anything interesting going on in the audit logs at the time?
Hi,
Nothing else was going on in the logs at the time that the fpings were stopped. The log showed that it was a write denial:
============================= type=AVC msg=audit(1342195229.681:349): avc: denied { write } for pid=25973 comm="fping" path="/home/xymon/server/tmp/ping-stderr.25955.00" dev=sdb1 ino=1587865 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
Using audit2allow to create a policy allowing writes in 'tmp' solved the problem.
John.
-- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001