Please check the following URI if you want to the detail.
http://www.monitorix.org/
[ install monitorix on Fedora 16 ]
[root@fc16 ~]# uname -ri 3.3.1-3.fc16.x86_64 x86_64 [root@fc16 ~]# cat /etc/redhat-release Fedora release 16 (Verne) |
install required packages via yum before installing monitorix.
[root@fc16 ~]# yum install httpd rrdtool rrdtool-perl perl-libwww-perl perl-MailTools perl-MIME-Lite perl-CGI perl-DBI -y |
download monitorix from http://www.monitorix.org/downloads.html and install it
[root@fc16 ~]# rpm -ivh http://www.monitorix.org/monitorix-2.5.0-1.noarch.rpm |
[ config etc ]
documents
[root@fc16 ~]# ls /usr/share/doc/monitorix-2.5.0/* /usr/share/doc/monitorix-2.5.0/COPYING /usr/share/doc/monitorix-2.5.0/Changes /usr/share/doc/monitorix-2.5.0/README /usr/share/doc/monitorix-2.5.0/README.FreeBSD /usr/share/doc/monitorix-2.5.0/README.OpenBSD /usr/share/doc/monitorix-2.5.0/README.nginx /usr/share/doc/monitorix-2.5.0/monitorix-alert.sh /usr/share/doc/monitorix-2.5.0/monitorix-deb.init |
config
/etc/monitorix.conf /etc/httpd/conf.d/monitorix.conf |
start monitorix and httpd
[root@fc16 ~]# /etc/init.d/monitorix start Starting monitorix (via systemctl): [ OK ] [root@fc16 ~]# [root@fc16 ~]# apachectl start |
access to monitorix by web browser ( http://127.1/monitorix/ )
top page
check processor info
nn , internal error
seen from syslog , SELinux seems to prevent httpd daemon from executing cgi files.
/var/log/messages
fc16 setroubleshoot: SELinux is preventing /usr/sbin/httpd from execute access on the file monitorix.cgi. For complete SELinux messages. run sealert -l 4bb7f29e-ff41-4642-8d85-ff26b5e83bc1 |
/var/log/audit/audit.log
type=AVC msg=audit(1334075872.093:123): avc: denied { execute } for pid=4931 comm="httpd" name="monitorix.cgi" dev="sda3" ino=283067 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1334075872.093:123): arch=c000003e syscall=59 success=no exit=-13 a0=7f18e65e2b40 a1=7f18e65dfa18 a2=7f18e65dfa30 a3=7fffc7b21b40 items=0 ppid=4111 pid=4931 auid=1000 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) |
check processes protected by SELinux
[root@fc16 ~]# ps -ZC httpd LABEL PID TTY TIME CMD unconfined_u:system_r:httpd_t:s0 4103 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 4104 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 4105 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 4106 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 4107 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 4108 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 4109 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 4110 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 4111 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 4441 ? 00:00:00 httpd |
or you can check all protected processes by issuing “PS -eZ”
[root@fc16 ~]# ps -eZ LABEL PID TTY TIME CMD system_u:system_r:init_t:s0 1 ? 00:00:02 systemd system_u:system_r:kernel_t:s0 2 ? 00:00:00 kthreadd system_u:system_r:kernel_t:s0 3 ? 00:00:01 ksoftirqd/0 system_u:system_r:kernel_t:s0 6 ? 00:00:00 migration/0 system_u:system_r:kernel_t:s0 7 ? 00:00:00 watchdog/0 system_u:system_r:kernel_t:s0 8 ? 00:00:00 migration/1 system_u:system_r:kernel_t:s0 10 ? 00:00:01 ksoftirqd/1 system_u:system_r:kernel_t:s0 12 ? 00:00:00 watchdog/1 <snip> |
check a label
[root@fc16 cgi-bin]# pwd /usr/share/monitorix/cgi-bin [root@fc16 cgi-bin]# ls monitorix.cgi monitorix.conf.path [root@fc16 cgi-bin]# ls -Z -rwxr-xr-x. root root system_u:object_r:usr_t:s0 monitorix.cgi -rw-r--r--. root root system_u:object_r:usr_t:s0 monitorix.conf.path |
the label is system_u:object_r:usr_t:s0
allow httpd to execute cgi.
check the SELinux config for httpd.
[root@fc16 cgi-bin]# getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_manage_ipa --> off httpd_read_user_content --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on httpd_unified --> off httpd_use_cifs --> off httpd_use_gpg --> off httpd_use_nfs --> off |
[root@fc16 cgi-bin]# chcon -t httpd_sys_script_exec_t /usr/share/monitorix/cgi-bin/monitorix.cgi [root@fc16 cgi-bin]# ls -Z /usr/share/monitorix/cgi-bin/monitorix.cgi -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /usr/share/monitorix/cgi-bin/monitorix.cgi |
check the processor status again..
nnn , still error
well , check the syslog and audit.log
syslog
fc16 setroubleshoot: SELinux is preventing /usr/bin/perl from read access on the file proc.rrd. For complete SELinux messages. run sealert -l 79dab955-d2d6-4933-86ad-3b0a9c30583f |
audit.log
type=AVC msg=audit(1334077044.160:145): avc: denied { read } for pid=6210 comm="monitorix.cgi" name="proc.rrd" dev="sda3" ino=283131 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1334077044.160:145): arch=c000003e syscall=2 success=no exit=-13 a0=2b24e68 a1=0 a2=1b6 a3=18 items=0 ppid=4104 pid=6210 auid=1000 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="monitorix.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null) |
I’m not familiar with SElinux..
Okay , disable SELinux
[root@fc16 cgi-bin]# egrep -i ^selinux /etc/selinux/config SELINUX=disabled SELINUXTYPE=targeted |
reboot the OS.
start monitorix and httpd
[root@fc16 ~]# /etc/init.d/monitorix start Starting monitorix (via systemctl): [ OK ] [root@fc16 ~]# apachectl start |
access to http://localhost/monitorix/
get things done.
Thx for reading :)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.