OP5 Monitor - How to configure SELinux enforcing mode.

Intro

This guide explains how to configure SELinux in EL7 to run with OP5 Monitor and its required services.

Prerequisites

• OP5 Monitor version 8.0.3 or above installed & running
• SSH access with root privileges
• Internet connection to download installation packages

Step-by-step guide

Login to your OP5-server with SSH using root privileges.

Enable SELinux by opening: /etc/selinux/config

Set: SELINUX=enforcing

To make all files & folders to get the correct selinux-context, create the file /.autorelabel and reboot to initialize it.

touch /.autorelabel
reboot

When the system is running again, SELinux are blocking several key features in OP5 Monitor that needs to be allowed.

Run the following commands to allow them, or run the BASH-script attached to this document.

# Install needed packages
yum install -y policycoreutils-python setroubleshoot
 
# Variables
monitor_path="/opt/monitor"
unconfined_type="bin_t"
 
# Disable all abrt services. OP5 requires these but they cause selinux errors.
abrt_services="abrt-ccpp.service abrtd.service abrt-oops.service abrt-pstoreoops.service abrt-vmcore.service abrt-xorg.service"
/usr/bin/systemctl disable $abrt_services &>/dev/null
/usr/bin/systemctl stop $abrt_services &>/dev/null
usr/bin/systemctl mask $abrt_services &>/dev/null
 
# Set file contexts
echo "Setting file contexts..."
# Run http unconfined, since Nacoma lives in the http context.
semanage fcontext -a -t $unconfined_type /usr/sbin/httpd
restorecon /usr/sbin/httpd
# Run snmpd unconfined - to allow OP5 self monitoring.
semanage fcontext -a -t $unconfined_type /usr/sbin/snmpd
restorecon /usr/sbin/snmpd
# Run smsd unconfined
semanage fcontext -a -t $unconfined_type /usr/sbin/smsd
restorecon /usr/sbin/smsd
 
semanage fcontext -a -t ssh_home_t "${monitor_path}/.ssh(/.*)?"
semanage fcontext -a -t var_log_t  "${monitor_path}/var"
semanage fcontext -a -t var_log_t  "${monitor_path}/var/naemon.log"
semanage fcontext -a -t var_log_t  "${monitor_path}/var/archives(/.*)?"
semanage fcontext -a -t var_run_t  "${monitor_path}/var/rw(/.*)?"
semanage fcontext -a -t var_run_t  "/var/cache/naemon(/.*)?"
semanage fcontext -a -t etc_t      "${monitor_path}/op5/merlin/merlin.conf"
semanage fcontext -a -t etc_t      "${monitor_path}/etc(/.*)?"
restorecon -R ${monitor_path}/var
restorecon -R ${monitor_path}/.ssh
restorecon -R ${monitor_path}/op5/merlin
restorecon -R ${monitor_path}/etc
restorecon -R /var/cache/naemon
 
# Done
echo "Done"

OP5 Monitor is now running with all bells & whistles, with SELinux enforcing.