-----Original Message-----
From: J.C. Cleaver [mailto:user-87556346d4af@xymon.invalid] Sent: 14 March 2015 02:22
To: SebA
Cc: 'Xymon MailingList'
Subject: RE: Dependencies for xymond and xymonnet (with particular reference to JC's terabithia.org RPMs)
On Fri, March 13, 2015 2:51 am, SebA wrote:
The semanage stuff from policycoreutils-python is SELinux.
Aside from the
error output, it should be safe to ignore that as well.
The (mini-)server does have SELinux enabled and enforced though, so I
assumed that I would need the tools the RPM wants for configuring
everything
correctly for SELinux?
Yeah, does sound like you'd had policycoreutils installed, but not
policycoreutils-python. For loadable policies modification, semanage
really is the tool most appropriate for the job. (I actually kind of find
it a little odd it's not in the base package, or @base package set.)
https://access.redhat.com/documentation/en-US/Red_Hat_Enterpri
se_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced
_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_sema
nage_fcontext.html
Alas, you're correct in that yum will attempt to continue to pull in
dependencies when they're available, so you'll continue to get these
warnings.
Actually, I hadn't considered that it might continue trying to get httpd
et
al whenever I do a yum update, but it does not seem to be doing it so far.
I
suppose it will if a new xymon package is available...
Correct. "yum check" might complain too about existing errors.
I'd given consideration to splitting things out into xymon-xymonnet,
xymon-proxy, xymon-server, xymon-xymongen and the like (in
fact, a really,
really old version of the RPM did just that), but it really
felt like more
complexity (and effort) than it was worth, especially since
the upstream
had had unified things together.
If there's enough demand, I'm open to creating sub-packages
for it. But it
does rather significantly increase complexity for people
doing installs
since they have to think of the different components coming
in. The flip
side is that for cases such as yours, or in micro-sized
cloud/container
environments, you can install the base RPM and avoid bringing in other
dependencies.
And for the security nuts who don't want things installed that they don't
need.
Quite true.
To do this right will also mean breaking out the various utilities
(xymongen, xymonnet, xymonproxy, etc.) into their own tasks.d/ snippets
instead of the monolithic tasks.cfg given out now...
This is something that might be best done at a 4.4.x release, to help ease
transition pain.
Only if it can still configure SELinux correctly using other methods?
chcon
was already installed and available (part of coreutils)... Otherwise I
would
rather know there was a problem.
Policy loading and context setting again really ought to be done with
semanage, otherwise you're not making a permanent change.
Regards,
-jc