lost and found ( for me ? )

Fedora 16 : Monitoring tool : Monitorix

Monitorix is web-based lightweight system monitoring tool.

Please check the following URI if you want to the detail.

http://www.monitorix.org/

[ install monitorix on Fedora 16 ]

[root@fc16 ~]# uname -ri
3.3.1-3.fc16.x86_64 x86_64
[root@fc16 ~]# cat /etc/redhat-release
Fedora release 16 (Verne)


install required packages via yum before installing monitorix.
[root@fc16 ~]# yum install httpd rrdtool rrdtool-perl perl-libwww-perl perl-MailTools perl-MIME-Lite perl-CGI perl-DBI -y


download monitorix from http://www.monitorix.org/downloads.html and install it
[root@fc16 ~]# rpm -ivh http://www.monitorix.org/monitorix-2.5.0-1.noarch.rpm

[ config etc ]

documents
[root@fc16 ~]# ls /usr/share/doc/monitorix-2.5.0/*
/usr/share/doc/monitorix-2.5.0/COPYING
/usr/share/doc/monitorix-2.5.0/Changes
/usr/share/doc/monitorix-2.5.0/README
/usr/share/doc/monitorix-2.5.0/README.FreeBSD
/usr/share/doc/monitorix-2.5.0/README.OpenBSD
/usr/share/doc/monitorix-2.5.0/README.nginx
/usr/share/doc/monitorix-2.5.0/monitorix-alert.sh
/usr/share/doc/monitorix-2.5.0/monitorix-deb.init

config
/etc/monitorix.conf
/etc/httpd/conf.d/monitorix.conf

start monitorix and httpd
[root@fc16 ~]# /etc/init.d/monitorix start
Starting monitorix (via systemctl):                        [  OK  ]
[root@fc16 ~]#

[root@fc16 ~]# apachectl start


access to monitorix by web browser ( http://127.1/monitorix/ )

top page


check processor info
nn , internal error


seen from syslog , SELinux seems to prevent httpd daemon from executing cgi files.

/var/log/messages

fc16 setroubleshoot: SELinux is preventing /usr/sbin/httpd from execute access on the file monitorix.cgi. For complete SELinux messages. run sealert -l 4bb7f29e-ff41-4642-8d85-ff26b5e83bc1

/var/log/audit/audit.log
type=AVC msg=audit(1334075872.093:123): avc:  denied  { execute } for  pid=4931 comm="httpd" name="monitorix.cgi" dev="sda3" ino=283067 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1334075872.093:123): arch=c000003e syscall=59 success=no exit=-13 a0=7f18e65e2b40 a1=7f18e65dfa18 a2=7f18e65dfa30 a3=7fffc7b21b40 items=0 ppid=4111 pid=4931 auid=1000 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

check processes protected by SELinux
[root@fc16 ~]# ps -ZC httpd
LABEL                             PID TTY          TIME CMD
unconfined_u:system_r:httpd_t:s0 4103 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 4104 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 4105 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 4106 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 4107 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 4108 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 4109 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 4110 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 4111 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 4441 ?        00:00:00 httpd

or you can check all protected processes by issuing “PS -eZ”
[root@fc16 ~]# ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:init_t:s0         1 ?        00:00:02 systemd
system_u:system_r:kernel_t:s0       2 ?        00:00:00 kthreadd
system_u:system_r:kernel_t:s0       3 ?        00:00:01 ksoftirqd/0
system_u:system_r:kernel_t:s0       6 ?        00:00:00 migration/0
system_u:system_r:kernel_t:s0       7 ?        00:00:00 watchdog/0
system_u:system_r:kernel_t:s0       8 ?        00:00:00 migration/1
system_u:system_r:kernel_t:s0      10 ?        00:00:01 ksoftirqd/1
system_u:system_r:kernel_t:s0      12 ?        00:00:00 watchdog/1
<snip>

check a label
[root@fc16 cgi-bin]# pwd
/usr/share/monitorix/cgi-bin
[root@fc16 cgi-bin]# ls
monitorix.cgi  monitorix.conf.path

[root@fc16 cgi-bin]# ls -Z
-rwxr-xr-x. root root system_u:object_r:usr_t:s0       monitorix.cgi
-rw-r--r--. root root system_u:object_r:usr_t:s0       monitorix.conf.path

the label is system_u:object_r:usr_t:s0

allow httpd to execute cgi.

check the SELinux config for httpd.
[root@fc16 cgi-bin]# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off

[root@fc16 cgi-bin]# chcon -t httpd_sys_script_exec_t /usr/share/monitorix/cgi-bin/monitorix.cgi

[root@fc16 cgi-bin]# ls -Z /usr/share/monitorix/cgi-bin/monitorix.cgi
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /usr/share/monitorix/cgi-bin/monitorix.cgi

check the processor status again..
nnn , still error


well , check the syslog and audit.log

syslog
fc16 setroubleshoot: SELinux is preventing /usr/bin/perl from read access on the file proc.rrd. For complete SELinux messages. run sealert -l 79dab955-d2d6-4933-86ad-3b0a9c30583f


audit.log
type=AVC msg=audit(1334077044.160:145): avc:  denied  { read } for  pid=6210 comm="monitorix.cgi" name="proc.rrd" dev="sda3" ino=283131 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1334077044.160:145): arch=c000003e syscall=2 success=no exit=-13 a0=2b24e68 a1=0 a2=1b6 a3=18 items=0 ppid=4104 pid=6210 auid=1000 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="monitorix.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)


I’m not familiar with SElinux..

Okay , disable SELinux
[root@fc16 cgi-bin]# egrep -i ^selinux /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted


reboot the OS.


start monitorix and httpd
[root@fc16 ~]# /etc/init.d/monitorix start
Starting monitorix (via systemctl):                        [  OK  ]
[root@fc16 ~]# apachectl start

access to http://localhost/monitorix/



get things done.
Thx for reading :)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.