SELinux && Ganglia / Multicast && Apache && RRDs

SELinuxWhile setting up test server with Ganglia triad (gmetad, gmond, gweb over Apache) I had only 2 SELinux alerts to solve. First one regarding to denial of /var/lib/ganglia/rrd access by httpd process (while accessing ganglia-web interface):

In order to resolve that I just added SELinux contexts to rrdtool binary and /var/lib/ganglia/rrds dir:

The last SELinux alert was regarding to Apache trying to access port 8652 by socket connection (on ganglia-web I saw error like “fsockopen 8652 access denied”):

So I had to create local policy for this particular occasion as there is no ganglia modules for SELinux (maybe I should create one…?). Firstly let’s check that there’s no even one module:

So let’s create this policy:

After this everything should work like a charm. To confirm that We have this new policy working:

  • Dan Yocum

    Good article. BZ filed for this bug, here:

    • Maciej Lasyk

      Hah, nice Dan – thx; above method is rather nasty workaround – I didn’t even check if there is any Ganglia policy back then :/

      Btw – there’s still no official Ganglia packages for RHEL7, so not sure if this problem will be replicated or not. Interesting

      • Milos Malik

        The same problem appears on RHEL-7 too, when ganglia-3.7.1-2.el7 is used.

    • Milos Malik