Hi,
I hope I can help anyone trying to get ganglia working
with RedHat FC3.
The graphs will not display using the ganglia-webfrontend with Fedora
Core 3. The reason is that Selinux is set by default. Selinux
is an extra security layer. You can turn it off
in /etc/selinux/config by setting SELINUX to "disabled" and
rebooting. The graphs should now appear in the web browser.
If selinux is set on, then the graphs are not displayed by rrdtool.
The reason is that functions.php calls "exec" which invokes the
"sh" command which is not allowed by the htppd deamon under
Selinux with the default policy. In /var/www/html/ganglia
(the ganglia-webfrontend directory on my computer), you can see:
functions.php: exec($command, $out);
graph.php:$command = RRDTOOL . " graph - --start $start --end $end ".
You can run ganglia-webfrontend and Selinux if you do the following:
1. Install the rpm: selinux-policy-targeted-sources-1.17.30-2.19.noarch.rpm
(you need the "sources", otherwise you cannot make a new Selinux policy).
2. In /etc/selinux/config set SELINUX to "permissive" and reboot.
3. Run ganglia (you should see the graphs because selinux will log
violations but does not deny.
4. Use: "audit2allow -i /var/log/messages -l" and put output
into: /etc/selinux/targeted/src/policy/domains/misc/local.te
(the "audit2allow" command scans the messages for all denies
and forms the necessary allow commands)
For me, the output was:
allow httpd_sys_script_t file_t:file { append };
allow httpd_sys_script_t httpd_sys_content_t:dir { read };
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
allow httpd_sys_script_t var_lib_t:dir { search };
allow httpd_sys_script_t var_lib_t:file { getattr read };
allow httpd_t bin_t:lnk_file { read };
allow httpd_t file_t:file { append getattr read write };
allow httpd_t shell_exec_t:lnk_file { read };
allow httpd_t unlabeled_t:dir { getattr };
allow httpd_t unlabeled_t:file { getattr };
allow httpd_t usr_t:dir { write };
5. Cd to /etc/selinux/targeted/src/policy
make clean
make load
(the local.te file is in the default location to be found
by the make command)
6. To test, turn on setenforce by "setenforce enforcing",
and see if you can still see the graphs.
7. To make permanent, in /etc/selinux/config set SELINUX to
"enforcing" and reboot.
Yours,
Mike McKee, Chemistry
Auburn University
