Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Tue Mar 28, 2017 6:41 pm

All times are UTC - 5 hours




Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 
Author Message
 Post subject: SELinux and problems with Cacti...
PostPosted: Wed May 25, 2005 12:20 pm 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5939
Location: Michigan, USA
Currently more and more linux distros are including SELinux (Security Enhanced Linux). SELinux is a very good idea, but currently causes problems with cacti. Mostly problems with Cacti spawning scripts, rrdtool, etc, which leads to a number of strange problems.

Disabling SELinux will let cacti work as it was intended to work.

Currently Fedora Core 3 is shipped with SELinux enabled by default. To disable it, you simply edit /etc/sysconfig/selinux file. Change the
Code:
SELINUX=enabled
line to
Code:
SELINUX=disabled

To apply this change, you will have to reboot your computer.

I have yet to do any extensive research as to how to have SELinux enabled and run cacti. When I find a proper configuration for SELinux that works with cacti, I will post that configuration.

For further information about SELinux check out the following links:
http://www.nsa.gov/selinux/
http://www.nsa.gov/selinux/info/faq.cfm
http://selinux.sourceforge.net/

SELinux FAQ wrote:
What is Security-enhanced Linux?

Security-enhanced Linux is a research prototype of the Linux® kernel and a number of utilities with enhanced security functionality designed simply to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security.

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Wed May 25, 2005 1:55 pm 
Offline

Joined: Mon May 02, 2005 3:33 pm
Posts: 46
Location: New York, NY
I have Cacti running with SElinux enabled, it's not a big deal. Let me know if you have questions.

In a nutshell, your installation of SElinux should come with the audit2allow message program.

If you have SElinux enable and are trying to use Cacti, the kernel should send alerts to syslog saying Apache is trying to do something it isn't authorized to.

When you get these, just run audit2allow -d
It tells audit2allow to get the error messages from dmesg and to print the rules that need to get added to your selinux configuration.

To do so, you need to have the source for policy you run installed.
On my FC3 box, it's under:
/etc/selinux/targeted/src (for the targeted policy)

The name of the rpm is: selinux-policy-targeted-sources

You need to add the stuff audit2allow gave you into this file:
/etc/selinux/targeted/src/policy/domains/misc/local.te

Then go back to /etc/selinux/targeted/src/policy and run:
make reload

The Makefile will recreate the policy and reload it. When it's done (without error), restart Apache and you should be all set.

- Mathieu


Top
 Profile  
 
 Post subject:
PostPosted: Wed May 25, 2005 2:18 pm 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5939
Location: Michigan, USA
I knew someone else knew this.. :)

Thanks for the info.

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 12, 2006 7:33 pm 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5939
Location: Michigan, USA
NealC wrote:
Apropos SELinux and broken graph images.

OK, some good threads regarding SElinux and Cacti on FC3 (http://forums.cacti.net/viewtopic.php?t=7759) and FC5 (http://forums.cacti.net/about12694.html). However, I had to use a slighlty different procedure for FC4, so I thought I'd post it here in case anyone else finds it useful.


First, I had to install the SELinux policy sources:
Code:
yum install selinux-policy-targeted-sources


Next, I had to pipe the errors into audti2allow:
Code:
cat /var/log/audit/audit.log | audit2allow

which gave me:
Code:
allow httpd_sys_script_t httpd_sys_content_t:lnk_file read;
allow httpd_sys_script_t var_lib_t:file { getattr read };
allow httpd_t var_log_t:file { append getattr };


Then, I cut and pasted these lines from the terminal into /etc/selinux/targeted/src/policy/domains/misc/local.te.

Then, from /etc/selinux/targeted/src/policy/ I ran:
Code:
make reload
(I've no idea if you actually have to be in that directory though...)

Finally, I restarted httpd. Happilly, I now have graphs appearing in my browser :lol:

Being fairly new to Linux, and a complete noob with SELinux and Cacti, this took me about 3 days :roll: Hopefully this will save someone else a bit of time.

Thanks to mshook and rony for the above 2 posts from which I finally cobbled my solution togethor - easy when you know how, huh? :wink:


Additional configuration information concerning SELinux. Thanks to NealC for posting this information. :D

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group