Accessing availabitlity or snapshot reports
list Dirk Kastens
Hi, I'm not able to access the availability or snapshot reports through the web interface (Xymon 4.3.19-3.el6.terabithia). When I click on "Generate report", the web browser shows the message "Forbidden. You don't have permission to access /xymon/rep/27957-1428575496/ on this server." When I look at the directory /var/cache/xymon/rep/27957-1428575496, there's a symbolic link "index.html -> xymon.html". But the file xymon.html doesn't exist. There's only the empy file xymon.html.tmp. The same happens with the snapshot reports under /var/cache/xymon/snap. Any idea what could be wrong? Regards, Dirk
list Japheth Cleaver
▸
On Thu, April 9, 2015 3:37 am, Dirk Kastens wrote:
Hi, I'm not able to access the availability or snapshot reports through the web interface (Xymon 4.3.19-3.el6.terabithia). When I click on "Generate report", the web browser shows the message "Forbidden. You don't have permission to access /xymon/rep/27957-1428575496/ on this server." When I look at the directory /var/cache/xymon/rep/27957-1428575496, there's a symbolic link "index.html -> xymon.html". But the file xymon.html doesn't exist. There's only the empy file xymon.html.tmp. The same happens with the snapshot reports under /var/cache/xymon/snap. Any idea what could be wrong? Regards, Dirk
Hi, Sounds like something is stopping the CGI from doing much beyond the setup of the report/snapshot. Can you check the apache error logs for any relevant lines? If SELinux is enabled, can you check /var/log/audit/* for a possible write violation? Regards, -jc
list Dirk Kastens
Hi,
▸
Can you check the apache error logs for any relevant lines? If SELinux is enabled, can you check /var/log/audit/* for a possible write violation?
It's indeed selinux related. When I disable selinux, the report works. Any hints on how to configure selinux? In my file_contexts.local I have /var/run/xymon(/.*)? system_u:object_r:initrc_var_run_t:s0 /var/cache/xymon(/.*)? system_u:object_r:httpd_cache_t:s0 /usr/share/xymon/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /usr/share/xymon/cgi-secure(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/lib/xymon(/.*)? system_u:object_r:httpd_sys_content_t:s0 /var/lib/xymon/tmp(/.*)? systemm_u:object_r:tmp_t:s0 /usr/libexec/xymon/cgiwrap system_u:object_r:httpd_sys_script_exec_t:s0 I also executed "restorecon -R -v" on all xymon directories. Dirk
list Dirk Kastens
/var/cache/xymon(/.*)? system_u:object_r:httpd_cache_t:s0
I found a solution. I changed the file context of the cache directories to httpd_sys_rw_content_t and now the reports are working: semanage fcontext -a -t httpd_sys_rw_content_t "/var/cache/xymon/rep(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/var/cache/xymon/snap(/.*)?" restorecon -R -v /var/cache/xymon Is this an error in the Therabitia RPMs? Dirk
list Japheth Cleaver
▸
On Thu, April 9, 2015 6:01 am, Dirk Kastens wrote:
/var/cache/xymon(/.*)? system_u:object_r:httpd_cache_t:s0I found a solution. I changed the file context of the cache directories to httpd_sys_rw_content_t and now the reports are working: semanage fcontext -a -t httpd_sys_rw_content_t "/var/cache/xymon/rep(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/var/cache/xymon/snap(/.*)?" restorecon -R -v /var/cache/xymon Is this an error in the Therabitia RPMs? Dirk
Dirk,
I believe so. Possibly caused by a domain transition with the new cgiwrap
binary that we didn't have before. I can duplicate the issue here.
The previous fcontext was set as below, as you identified. AFAICT, it's
still the "proper" one for this type of content.
/usr/sbin/semanage fcontext -a -t httpd_cache_t
'%{wwwCacheDirectory}(/.*)?' || :
-jc
list Japheth Cleaver
▸
On Thu, April 9, 2015 1:05 pm, J.C. Cleaver wrote:
On Thu, April 9, 2015 6:01 am, Dirk Kastens wrote:/var/cache/xymon(/.*)? system_u:object_r:httpd_cache_t:s0I found a solution. I changed the file context of the cache directories to httpd_sys_rw_content_t and now the reports are working: semanage fcontext -a -t httpd_sys_rw_content_t "/var/cache/xymon/rep(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/var/cache/xymon/snap(/.*)?" restorecon -R -v /var/cache/xymon Is this an error in the Therabitia RPMs? DirkDirk, I believe so. Possibly caused by a domain transition with the new cgiwrap binary that we didn't have before. I can duplicate the issue here. The previous fcontext was set as below, as you identified. AFAICT, it's still the "proper" one for this type of content. /usr/sbin/semanage fcontext -a -t httpd_cache_t '%{wwwCacheDirectory}(/.*)?' || :
Dirk, I've confirmed this is a bug in the SELinux policy in the Terabithia RPMs. I've posted an updated set in the /testing/ repository for the various distros - 4.3.19-9 should resolve it. You'll want to change things back to the httpd_cache_t type, however, with: semanage fcontext -a -t httpd_cache_t '/var/cache/xymon(/.*)?' Regards, -jc
list Dirk Kastens
Hi JC,
Would you mind testing http://terabithia.org/rpms/xymon/testing/el6/x86_64/xymon-4.3.19-9.el6.x86_64.rpm (et al.) and see if this fixes the problem for you? If possible, please first change the context back to: /usr/sbin/semanage fcontext -a -t httpd_cache_t '/var/cache/xymon(/.*)?' and then run restorecon -Rv /var/cache/xymon
I deleted my added file contexts, restored the original ones, and updated the RPM. Now the reports are working. Thanks for your support. Dirk