As Red Hat consultant it makes me sad to see the first instruction to install software is to disable SELinux.
It really isn't that hard to learn.
My observium installation (on RHEL 7)
Assuming Observium is installed in /opt/observium
# ensure semange is installed yum install policycoreutils-python
# set policy to allow apache to write to observium directories # this could be restricted to read-only on all except rrd & logs. semanage fcontext -a -t httpd_sys_rw_content_t "/opt/observium(/.*)?"
# apply policy restorecon -R -v /opt/observium
We don't develop for Red Hat at all, so it's going to be hard to keep that up to date.
You missed being able to launch fping from Apache, by the way ;-)
Tom
On 9/27/2018 10:54 AM, David Pinkerton wrote:
As Red Hat consultant it makes me sad to see the first instruction to install software is to disable SELinux.
It really isn't that hard to learn.
My observium installation (on RHEL 7)
Assuming Observium is installed in /opt/observium
# ensure semange is installed yum install policycoreutils-python
# set policy to allow apache to write to observium directories # this could be restricted to read-only on all except rrd & logs. semanage fcontext -a -t httpd_sys_rw_content_t "/opt/observium(/.*)?"
# apply policy restorecon -R -v /opt/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Oh, oops - also, thanks for this! :-)
On 9/27/2018 6:50 PM, Tom Laermans wrote:
We don't develop for Red Hat at all, so it's going to be hard to keep that up to date.
You missed being able to launch fping from Apache, by the way ;-)
Tom
On 9/27/2018 10:54 AM, David Pinkerton wrote:
As Red Hat consultant it makes me sad to see the first instruction to install software is to disable SELinux.
It really isn't that hard to learn.
My observium installation (on RHEL 7)
Assuming Observium is installed in /opt/observium
# ensure semange is installed yum install policycoreutils-python
# set policy to allow apache to write to observium directories # this could be restricted to read-only on all except rrd & logs. semanage fcontext -a -t httpd_sys_rw_content_t "/opt/observium(/.*)?"
# apply policy restorecon -R -v /opt/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
I’ll add to the conversation that we also write our http logs to the /opt/Observium/logs directory so use this for semanage.
semanage fcontext -a -t httpd_sys_rw_content_t "/opt/observium(/.*)?" semanage fcontext -a -t httpd_log_t "/opt/observium/logs(/.*)?" restorecon -Rv /opt/observium/logs restorecon -Rv /opt/observium
fping doesn’t seem to have any problems.
Please take a moment to complete the City of Mesquite customer satisfaction surveyhttps://www.surveymonkey.com/r/Z8MHD2G.
[cid:mesquite2_64952466-7699-4070-b932-30d24905c61c.png] John Simino Network Administrator | Information Technology 777 N Galloway Ave | Mesquite, TX 75149 (972) 216-6654 | jsimino@cityofmesquite.commailto:jsimino@cityofmesquite.com | www.cityofmesquite.comhttp://www.cityofmesquite.com [cid:facebook-sm_b2ef8d81-8a21-4720-b119-b815890811d9.png]https://www.facebook.com/mesquitetexas [cid:twitter-sm_33c64159-b7a0-4bd6-b7fa-8867bedce7b9.png] https://twitter.com/cityofmesquite [cid:youtube2-sm_65419769-1b30-4811-a0c9-aa07bec8b1c8.png] https://www.youtube.com/user/cityofmesquitetexas [cid:instagram-sm_5958b3e5-5c8b-46f4-9549-906fb6bf54d7.png] https://instagram.com/cityofmesquite From: observium observium-bounces@observium.org On Behalf Of Tom Laermans Sent: Thursday, September 27, 2018 11:51 AM To: observium@observium.org Subject: [External] Re: [Observium] make selinux enforcing again
Oh, oops - also, thanks for this! :-)
On 9/27/2018 6:50 PM, Tom Laermans wrote: We don't develop for Red Hat at all, so it's going to be hard to keep that up to date.
You missed being able to launch fping from Apache, by the way ;-)
Tom
On 9/27/2018 10:54 AM, David Pinkerton wrote:
As Red Hat consultant it makes me sad to see the first instruction to install software is to disable SELinux.
It really isn't that hard to learn.
My observium installation (on RHEL 7)
Assuming Observium is installed in /opt/observium
# ensure semange is installed yum install policycoreutils-python
# set policy to allow apache to write to observium directories # this could be restricted to read-only on all except rrd & logs. semanage fcontext -a -t httpd_sys_rw_content_t "/opt/observium(/.*)?"
# apply policy restorecon -R -v /opt/observium
_______________________________________________
observium mailing list
observium@observium.orgmailto:observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observiumhttps://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpostman.memetic.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fobservium&data=02%7C01%7Cjsimino%40cityofmesquite.com%7C6524a4d1ddda4b57b05e08d624996e85%7C569b24ee3c1843c889d404993c7c22b6%7C1%7C0%7C636736638739603201&sdata=C7BP7oDZNQ12hBwfYODu2gF3SgxTzyHJ6n%2FOswWI1wM%3D&reserved=0
_______________________________________________
observium mailing list
observium@observium.orgmailto:observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observiumhttps://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpostman.memetic.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fobservium&data=02%7C01%7Cjsimino%40cityofmesquite.com%7C6524a4d1ddda4b57b05e08d624996e85%7C569b24ee3c1843c889d404993c7c22b6%7C1%7C0%7C636736638739603201&sdata=C7BP7oDZNQ12hBwfYODu2gF3SgxTzyHJ6n%2FOswWI1wM%3D&reserved=0
WARNING: This email is from an external source. Do not click links or open attachments unless you recognize the sender and know the content is safe. Forward to the helpdesk@cityofmesquite.commailto:helpdesk@cityofmesquite.com or call us at 972-216-6622 if you are unsure.
Hi,
John Simino wrote on 27/09/2018 21:37:
I’ll add to the conversation that we also write our http logs to the /opt/Observium/logs directory so use this for semanage.
semanage fcontext -a -t httpd_sys_rw_content_t "/opt/observium(/.*)?"
I'm not selinux specialist, but as I see: https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selin...
httpd_sys_rw_content_t - Readable and writable directories and files used by Apache.
I not see reasons for make this dir writable for apache, as I think here enough:
semanage fcontext -a -t httpd_sys_content_t "/opt/observium(/.*)?"
semanage fcontext -a -t httpd_log_t "/opt/observium/logs(/.*)?"
restorecon -Rv /opt/observium/logs
restorecon -Rv /opt/observium
fping doesn’t seem to have any problems.
Please take a moment to complete the City of Mesquite customer satisfaction survey https://www.surveymonkey.com/r/Z8MHD2G.
John Simino Network Administrator | Information Technology 777 N Galloway Ave | Mesquite, TX 75149 (972) 216-6654 | jsimino@cityofmesquite.com mailto:jsimino@cityofmesquite.com | www.cityofmesquite.com http://www.cityofmesquite.com https://www.facebook.com/mesquitetexas https://twitter.com/cityofmesquite https://www.youtube.com/user/cityofmesquitetexas https://instagram.com/cityofmesquite
*From:*observium observium-bounces@observium.org *On Behalf Of *Tom Laermans *Sent:* Thursday, September 27, 2018 11:51 AM *To:* observium@observium.org *Subject:* [External] Re: [Observium] make selinux enforcing again
Oh, oops - also, thanks for this! :-)
On 9/27/2018 6:50 PM, Tom Laermans wrote:
We don't develop for Red Hat at all, so it's going to be hard to keep that up to date. You missed being able to launch fping from Apache, by the way ;-) Tom On 9/27/2018 10:54 AM, David Pinkerton wrote: As Red Hat consultant it makes me sad to see the first instruction to install software is to disable SELinux. It really isn't that hard to learn. My observium installation (on RHEL 7) Assuming Observium is installed in /opt/observium # ensure semange is installed yum install policycoreutils-python # set policy to allow apache to write to observium directories # this could be restricted to read-only on all except rrd & logs. semanage fcontext -a -t httpd_sys_rw_content_t "/opt/observium(/.*)?" # apply policy restorecon -R -v /opt/observium _______________________________________________ observium mailing list observium@observium.org <mailto:observium@observium.org> http://postman.memetic.org/cgi-bin/mailman/listinfo/observium <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpostman.memetic.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fobservium&data=02%7C01%7Cjsimino%40cityofmesquite.com%7C6524a4d1ddda4b57b05e08d624996e85%7C569b24ee3c1843c889d404993c7c22b6%7C1%7C0%7C636736638739603201&sdata=C7BP7oDZNQ12hBwfYODu2gF3SgxTzyHJ6n%2FOswWI1wM%3D&reserved=0> _______________________________________________ observium mailing list observium@observium.org <mailto:observium@observium.org> http://postman.memetic.org/cgi-bin/mailman/listinfo/observium <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpostman.memetic.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fobservium&data=02%7C01%7Cjsimino%40cityofmesquite.com%7C6524a4d1ddda4b57b05e08d624996e85%7C569b24ee3c1843c889d404993c7c22b6%7C1%7C0%7C636736638739603201&sdata=C7BP7oDZNQ12hBwfYODu2gF3SgxTzyHJ6n%2FOswWI1wM%3D&reserved=0>*WARNING:*This email is from an external source. Do not click links or open attachments unless you recognize the sender and know the content is safe. Forward to the helpdesk@cityofmesquite.com mailto:helpdesk@cityofmesquite.comor call us at 972-216-6622 if you are unsure.
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
What I had to do to get it working:
setsebool -P httpd_execmem=1 setsebool -P httpd_ssi_exec=1 setsebool -P httpd_can_network_connect=1 semanage fcontext -a -t httpd_sys_content_t "/opt/observium(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t '/opt/observium/logs(/.*)?' restorecon -R -v /opt/observium
David Pinkerton wrote at 2018-09-27 10:54:
As Red Hat consultant it makes me sad to see the first instruction to install software is to disable SELinux.
It really isn't that hard to learn.
My observium installation (on RHEL 7)
Assuming Observium is installed in /opt/observium
# ensure semange is installed yum install policycoreutils-python
# set policy to allow apache to write to observium directories # this could be restricted to read-only on all except rrd & logs. semanage fcontext -a -t httpd_sys_rw_content_t "/opt/observium(/.*)?"
# apply policy restorecon -R -v /opt/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
participants (5)
-
David Pinkerton -
John Simino -
Michiel Klaver -
Mike Stupalov -
Tom Laermans