Mentaven DevOps

Custom Network Monitoring

Mentacity Ventures DevOps
Home » Xymon » Apache » Xymon & SELinux: How to Make Them Play Nice

Xymon & SELinux: How to Make Them Play Nice

By Ryan, last updated March 15, 2022 Leave a Comment

Xymon SELinux

One issue you may run into on newer Linux distros is that SELinux will likely prevent Xymon from working properly if you compile it from source.

In order to get Xymon talking with Apache and running its network tests, you’ll need to make some changes.

I’ve outlined my process for this below.

Contents

  • 1 Xymon, SELinux, and Contexts
  • 2 Making It Work
  • 3 Security Concerns
  • 4 Summary

Xymon, SELinux, and Contexts

Fortunately, when you install Apache it creates some SELinux contexts that can be used to help Xymon run.

In particular, these are the contexts I used to get Xymon up and working:

  • httpd_sys_content_t
  • httpd_sys_script_exec_t
  • httpd_unconfined_script_exec_t

I also needed some of the boolean options:

  • httpd_enable_homedirs
  • httpd_can_network_connect

There’s a great overview of these settings and what each does here:

  • https://fedoraproject.org/wiki/SELinux/apache

Making It Work

Now let’s cut right to it: below are the commands I used to get Xymon working with Apache and SELinux.

Note that this assumes that Xymon is installed in /home/xymon/.

   setsebool -P httpd_enable_homedirs 1
   setsebool -P httpd_can_network_connect 1
   chcon -R -t httpd_sys_content_t /home/xymon/server/www/
   chcon -R -t httpd_sys_script_exec_t /home/xymon/cgi-bin/
   chcon -R -t httpd_sys_script_exec_t /home/xymon/cgi-secure/
   chcon -R -t httpd_unconfined_script_exec_t /home/xymon/server/bin/

Security Concerns

Before you just cut and paste these into your server though, make sure you understand what each command does.

In particular, be aware that they allow Apache to run scripts in the Xymon home directory and that it disables SELinux Apache monitoring of the /home/xymon/server/bin/ directory.

It will still be more secure than if you disabled SELinux entirely though, which is what I’ve seen a number of people do in order to get Xymon working on new Linux distros.

I’d much rather have SELinux running than not!

Summary

Anyway, that’s all there was to it: six commands and my client’s new Xymon server install was up and running.

Now it’s your turn: have you done it a different way? Please let me know in the comments below!

Popular Posts:

  • Xymon Client for ESXi: Monitoring the VMWare HypervisorXymon Client for ESXi: Monitoring the VMWare Hypervisor
  • Unifi mDNSUbiquiti Unifi: mDNS and SSDP across VLANs
  • BBWin Xymon Client: Tips and TricksBBWin Xymon Client: Tips and Tricks
  • Unifi IoT VLANUbiquiti Unifi: Upgrading From A Flat Network

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Ubiquiti Unifi: mDNS and SSDP across VLANs
  • Ubiquiti Unifi: Upgrading From A Flat Network
  • Xymon & SELinux: How to Make Them Play Nice
  • Xymon Client for ESXi: Monitoring the VMWare Hypervisor
  • BBWin Xymon Client: Tips and Tricks
About | Contact | Privacy Policy | Terms of Service

© 2023 · Mentaven DevOps