Cacti (home)ForumsRepositoryDocumentation
Cacti: offical forums and support  

 FAQFAQ   SearchSearch   MemberlistMemberlist    RegisterRegister   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in    


SELinux and problems with Cacti...

 
Post new topic   This topic is locked: you cannot edit posts or make replies.    Cacti Forum Index -> Help: Linux/Unix Specific
Author Message
rony
Developer/Forum Admin


Joined: 17 Nov 2003
Posts: 5402
Location: Wisconsin, USA
PostPosted: Wed May 25, 2005 12:20 pm    Post subject: SELinux and problems with Cacti... Reply with quote
Currently more and more linux distros are including SELinux (Security Enhanced Linux). SELinux is a very good idea, but currently causes problems with cacti. Mostly problems with Cacti spawning scripts, rrdtool, etc, which leads to a number of strange problems.

Disabling SELinux will let cacti work as it was intended to work.

Currently Fedora Core 3 is shipped with SELinux enabled by default. To disable it, you simply edit /etc/sysconfig/selinux file. Change the
Code:
SELINUX=enabled
line to
Code:
SELINUX=disabled

To apply this change, you will have to reboot your computer.

I have yet to do any extensive research as to how to have SELinux enabled and run cacti. When I find a proper configuration for SELinux that works with cacti, I will post that configuration.

For further information about SELinux check out the following links:
http://www.nsa.gov/selinux/
http://www.nsa.gov/selinux/info/faq.cfm
http://selinux.sourceforge.net/

SELinux FAQ wrote:
What is Security-enhanced Linux?

Security-enhanced Linux is a research prototype of the Linux® kernel and a number of utilities with enhanced security functionality designed simply to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security.
Back to top
mshook



Joined: 02 May 2005
Posts: 46
Location: New York, NY
PostPosted: Wed May 25, 2005 1:55 pm    Post subject: Reply with quote
I have Cacti running with SElinux enabled, it's not a big deal. Let me know if you have questions.

In a nutshell, your installation of SElinux should come with the audit2allow message program.

If you have SElinux enable and are trying to use Cacti, the kernel should send alerts to syslog saying Apache is trying to do something it isn't authorized to.

When you get these, just run audit2allow -d
It tells audit2allow to get the error messages from dmesg and to print the rules that need to get added to your selinux configuration.

To do so, you need to have the source for policy you run installed.
On my FC3 box, it's under:
/etc/selinux/targeted/src (for the targeted policy)

The name of the rpm is: selinux-policy-targeted-sources

You need to add the stuff audit2allow gave you into this file:
/etc/selinux/targeted/src/policy/domains/misc/local.te

Then go back to /etc/selinux/targeted/src/policy and run:
make reload

The Makefile will recreate the policy and reload it. When it's done (without error), restart Apache and you should be all set.

- Mathieu
Back to top
rony
Developer/Forum Admin


Joined: 17 Nov 2003
Posts: 5402
Location: Wisconsin, USA
PostPosted: Wed May 25, 2005 2:18 pm    Post subject: Reply with quote
I knew someone else knew this..

Thanks for the info.
Back to top
rony
Developer/Forum Admin


Joined: 17 Nov 2003
Posts: 5402
Location: Wisconsin, USA
PostPosted: Mon Jun 12, 2006 7:33 pm    Post subject: Reply with quote
NealC wrote:
Apropos SELinux and broken graph images.

OK, some good threads regarding SElinux and Cacti on FC3 (http://forums.cacti.net/viewtopic.php?t=7759) and FC5 (http://forums.cacti.net/about12694.html). However, I had to use a slighlty different procedure for FC4, so I thought I'd post it here in case anyone else finds it useful.


First, I had to install the SELinux policy sources:
Code:
yum install selinux-policy-targeted-sources


Next, I had to pipe the errors into audti2allow:
Code:
cat /var/log/audit/audit.log | audit2allow

which gave me:
Code:
allow httpd_sys_script_t httpd_sys_content_t:lnk_file read;
allow httpd_sys_script_t var_lib_t:file { getattr read };
allow httpd_t var_log_t:file { append getattr };


Then, I cut and pasted these lines from the terminal into /etc/selinux/targeted/src/policy/domains/misc/local.te.

Then, from /etc/selinux/targeted/src/policy/ I ran:
Code:
make reload
(I've no idea if you actually have to be in that directory though...)

Finally, I restarted httpd. Happilly, I now have graphs appearing in my browser

Being fairly new to Linux, and a complete noob with SELinux and Cacti, this took me about 3 days Hopefully this will save someone else a bit of time.

Thanks to mshook and rony for the above 2 posts from which I finally cobbled my solution togethor - easy when you know how, huh?


Additional configuration information concerning SELinux. Thanks to NealC for posting this information.
Back to top
Display posts from previous:   
Post new topic   This topic is locked: you cannot edit posts or make replies.    Cacti Forum Index -> Help: Linux/Unix Specific All times are GMT - 5 Hours
Page 1 of 1

 



Powered by phpBB © 2001, 2005 phpBB Group