System Monitoring with Xymon/Selinux

This example shows how to create and install an SELinux policy under CentOS 5.5 suitable for running Xymon.

The current version of Xymon will, by default, install in /home/xymon.

Xymon consists of CGI and setuid programs and scripts which read, write and create files and directories within the Xymon directories.

Directories under /home are typically considered user directories by SELinux, and normally are set up to prevent the web browser from reading, writing, creating, and deleting user files and directories.

To get around this, we can create a new type (xymon_t) and a corresponding policy (xymon) which gives the web server (httpd_t) and the root user (unconfined_t) the access required to run Xymon without giving Xymon full access to all user directories.

After the policy is loaded, then the installation location of Xymon (/home/xymon) must be relabeled.

First create the file xymon.te:

Compile and load this policy:

After installing the new policy, modify the selinux permissions to allow xymon to run:

Now restart the web server and Xymon.

Monitor the logs and /var/log/audit/audit.log for problems and security violations and modify the policy as appropriate.

-H-