3 issues on new build of 4.3.21 on CentOS 6

list Japheth Cleaver
Wed, 28 Oct 2015 12:35:48 -0700
Message-Id: <user-8d3cd176f286@xymon.invalid>

On Wed, October 28, 2015 9:25 am, Root, Paul T wrote:

Hi all,
                I'm building the latest xymon into my own RPM, and on
CentOS 6. The client works fine, but I have some issues
with the server.

                There are a lot of variables, that may be influencing my
issues. My current environment is RHEL 5 and CentOS 5. But
I want to get more up to date. Building an RPM for 4.3.21
on CentOS 5 proved impossible too much work for too little
benefit because of rrdtools newer versions not compiling
on CentOS5 and such. Thus the move to newer OS.

                I'm also trying to use selinux. I'd always had it off or
in permissive before, because I didn't want to deal with
it. I'm making the effort now. We'll see how that goes.

                So sorry for the roll up. Here are the issues:


1)      Disabled tests do not have the blue icon. The non-green page is
showing the tests that are red or yellow. But if you click on the test,
the page displays properly, blue background and the disable message is
there. Also on the main pages, the icon remains red or yellow.

Hmm. This speaks to an issue with permissions for xymongen (unless you're
using static HTML page generation for the status pages themselves). IIRC
SELinux will require privs for altering/removing the files in the layout
distinctly from the initial write. This is especially true if the
timestamp of the gen'd pages isn't updating.

2)      Some pages, notably on the new server, I get "Status not
available" on a number of tests. They range from my own scripts to
xymonnet. Other tests do work, like the client built in ones.

That's strange. There really shouldn't be any distinction from an SELinux
perspective between the various kinds of tests. You will need to enable
CGIs to make port connections, but that would lead to failure to pick up
any svcstatus at all.

3)      Cleared tests aren't clearing. This may well be the same issue as
disable tests. I have a couple of tests that were red, but came green. But
the page icon remains red.

Could be the same issue.


SELinux was pretty tricky to get up and running at first. The policy files
in the Terabithia RPMs are below, which *should* work when combined with
the directory contexts indicated, modified as needed for your install
layout.

Using xymoncmd and alterations to the initscript were somewhat tied in
with this also, but some of the details escape me slightly there, to be
honest. It was quite a while ago...

HTH,
-jc


 /usr/sbin/semanage fcontext -a -t initrc_var_run_t '/var/run/xymon(/.*)?'
 /usr/sbin/semanage fcontext -a -t httpd_cache_t '/var/cache/xymon(/.*)?'
 /usr/sbin/semanage fcontext -a -t httpd_sys_script_exec_t
'/usr/share/xymon/cgi-bin(/.*)?'
 /usr/sbin/semanage fcontext -a -t httpd_sys_script_exec_t
'/usr/share/xymon/cgi-secure(/.*)?'
 /usr/sbin/semanage fcontext -a -t httpd_sys_script_exec_t
'/usr/libexec/xymon/cgiwrap'
 /usr/sbin/semanage fcontext -a -t httpd_sys_content_t '/var/lib/xymon(/.*)?'
 /usr/sbin/semanage fcontext -a -t tmp_t '/var/lib/xymon/tmp(/.*)?'

/sbin/restorecon -R /usr/libexec/xymon/cgiwrap /usr/share/xymon/cgi-*
/var/cache/xymon /var/run/xymon /var/lib/xymon /var/lib/xymon/tmp

for selinuxvariant in targeted strict; do
   /usr/sbin/semodule -s ${selinuxvariant} -i
/usr/share/selinux/${selinuxvariant}/xymon.pp
   /usr/sbin/semodule -s ${selinuxvariant} -i
/usr/share/selinux/${selinuxvariant}/xymon-client.pp
done

/usr/sbin/setsebool -P httpd_can_network_connect on

Attachments (2)

attachment.obj application/octet-stream · 1.9 KB
attachment-0001.obj application/octet-stream · 710 B