iTop and SE Linux
Some Linux distributions (Fedora, RedHat, CentOS…) come with SELinux enabled by default. This requires additional security configuration tobe put in place before you can start using iTop.
Basic SE Linux configuration
// allow Read/Write on itop root and childs folders semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/itop(/.*)?" // apply the policy restorecon -Rv /var/www/html/itop/ // view the applied policy ls -lZ /var/www/html/itop/
This basic configuration works with iTop. You need to have a good knowledge of SE Linux to apply more restrictive rights.
Writing to files
If the installation complains that the conf
folder
of iTop exists but cannot be written, and if the access rights on
the directory look correct, then try to turn-off the SE Linux
context:
setenforce 0
This completely turns-off the security context checking. This is defintely not suitable for a production system, but may be helpful to isolate the source of the problem. More information about Security Contexts is available here or there.
Connecting to a remote MySQL server
If you get troubles to have iTop connect to a remote MySQL server, check the SELinux settings with the following command:
getsebool -a | grep 'httpd'
You should see something like:
allow_httpd_anon_write –> off allow_httpd_bugzilla_script_anon_write –> off allow_httpd_cvs_script_anon_write –> off allow_httpd_mod_auth_pam –> off allow_httpd_nagios_script_anon_write –> off allow_httpd_prewikka_script_anon_write –> off allow_httpd_squid_script_anon_write –> off allow_httpd_sys_script_anon_write –> off httpd_builtin_scripting –> on httpd_can_network_connect –> off httpd_can_network_connect_db –> off httpd_can_network_relay –> off httpd_can_sendmail –> on httpd_disable_trans –> off httpd_enable_cgi –> on httpd_enable_ftp_server –> off httpd_enable_homedirs –> on httpd_rotatelogs_disable_trans –> off httpd_ssi_exec –> off httpd_suexec_disable_trans –> off httpd_tty_comm –> on httpd_unified –> on httpd_use_cifs –> off httpd_use_nfs –> off
If you see the line httpd_can_network_connect_db –>
off
, this means that the web server is prevented from doing
any network connection to the MySQL server.
To change this security setting, type the following command (as root):
setsebool -P httpd_can_network_connect_db on
Connecting to iTop from remote
If you can connect to the web server only from the machine
itself, but not from a remote system, then check the firewall
(iptables
) configuration.
firewall-cmd --list-services
The output of the command should be something like:
dhcp-v6-client http mdns ssh
If http
is not then the list, then the access to
the web server will be blocked. To unblock it, launch (as root) the
following command:
firewall-cmd --add-service=http