On Tue, 2012-07-17 at 03:51 -0700, user-87556346d4af@xymon.invalid wrote:
On Thu, 2012-07-12 at 10:35 +0100, John Horne wrote:
Hello,
Sorry, but this turned out to be an SELinux problem. 'fping' is denied
write access to files in the ~/server/tmp directory on the Xymon server.
However, fping records its results in that directory, and Xymon looks at
them to see if a client is alive or not. Since there were no results,
because of SELinux, Xymon figured that all the clients were down.
I have created a local SELinux policy to allow writes for fping and that
seems to work. (I have rebooted the Xymon server and it didn't show any
red ping/conn tests.)
The clients don't use 'fping' so they don't have this problem.
Why did restarting the Xymon service (not the server) allow the tests to
turn green? Not sure.
SELinux policies distinguish between appending, writing, and seeking in
many cases. I don't recall the details, but I remember needing to futz
with different policies to figure out what was going on as well. Was
anything interesting going on in the audit logs at the time?
Hi,
Nothing else was going on in the logs at the time that the fpings were
stopped. The log showed that it was a write denial:
=============================
type=AVC msg=audit(1342195229.681:349): avc: denied { write } for
pid=25973 comm="fping"
path="/home/xymon/server/tmp/ping-stderr.25955.00" dev=sdb1 ino=1587865
scontext=system_u:system_r:ping_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=file
=============================
Using audit2allow to create a policy allowing writes in 'tmp' solved the
problem.
John.
--
John Horne Tel: +XX (X)XXXX XXXXXX
Plymouth University, UK Fax: +XX (X)XXXX XXXXXX