One issue you may run into on newer Linux distros is that SELinux will likely prevent Xymon from working properly if you compile it from source.
In order to get Xymon talking with Apache and running its network tests, you’ll need to make some changes.
I’ve outlined my process for this below.
Xymon, SELinux, and Contexts
Fortunately, when you install Apache it creates some SELinux contexts that can be used to help Xymon run.
In particular, these are the contexts I used to get Xymon up and working:
- httpd_sys_content_t
- httpd_sys_script_exec_t
- httpd_unconfined_script_exec_t
I also needed some of the boolean options:
- httpd_enable_homedirs
- httpd_can_network_connect
There’s a great overview of these settings and what each does here:
https://fedoraproject.org/wiki/SELinux/apache
Making It Work
Now let’s cut right to it: below are the commands I used to get Xymon working with Apache and SELinux.
Note that this assumes that Xymon is installed in /home/xymon/.
setsebool -P httpd_enable_homedirs 1 setsebool -P httpd_can_network_connect 1 chcon -R -t httpd_sys_content_t /home/xymon/server/www/ chcon -R -t httpd_sys_script_exec_t /home/xymon/cgi-bin/ chcon -R -t httpd_sys_script_exec_t /home/xymon/cgi-secure/ chcon -R -t httpd_unconfined_script_exec_t /home/xymon/server/bin/
Security Concerns
Before you just cut and paste these into your server though, make sure you understand what each command does.
In particular, be aware that they allow Apache to run scripts in the Xymon home directory and that it disables SELinux Apache monitoring of the /home/xymon/server/bin/ directory.
It will still be more secure than if you disabled SELinux entirely though, which is what I’ve seen a number of people do in order to get Xymon working on new Linux distros.
I’d much rather have SELinux running than not!
Summary
Anyway, that’s all there was to it: six commands and my client’s new Xymon server install was up and running.
Now it’s your turn: have you done it a different way? Please let me know in the comments below!
Leave a Reply