iTop and SE Linux

Some Linux distributions (Fedora, RedHat, CentOS…) come with SELinux enabled by default. This requires additional security configuration tobe put in place before you can start using iTop.

Basic SE Linux configuration

// allow Read/Write on itop root and childs folders 
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/itop(/.*)?"                        
//  apply the policy
restorecon -Rv /var/www/html/itop/ 
// view the applied policy                                         
ls -lZ /var/www/html/itop/

This basic configuration works with iTop. You need to have a good knowledge of SE Linux to apply more restrictive rights.

Writing to files

If the installation complains that the conf folder of iTop exists but cannot be written, and if the access rights on the directory look correct, then try to turn-off the SE Linux context:

setenforce 0

This completely turns-off the security context checking. This is defintely not suitable for a production system, but may be helpful to isolate the source of the problem. More information about Security Contexts is available here or there.

Connecting to a remote MySQL server

If you get troubles to have iTop connect to a remote MySQL server, check the SELinux settings with the following command:

getsebool -a | grep 'httpd'

You should see something like:

allow_httpd_anon_write –> off
allow_httpd_bugzilla_script_anon_write –> off
allow_httpd_cvs_script_anon_write –> off
allow_httpd_mod_auth_pam –> off
allow_httpd_nagios_script_anon_write –> off
allow_httpd_prewikka_script_anon_write –> off
allow_httpd_squid_script_anon_write –> off
allow_httpd_sys_script_anon_write –> off
httpd_builtin_scripting –> on
httpd_can_network_connect –> off
httpd_can_network_connect_db –> off
httpd_can_network_relay –> off
httpd_can_sendmail –> on
httpd_disable_trans –> off
httpd_enable_cgi –> on
httpd_enable_ftp_server –> off
httpd_enable_homedirs –> on
httpd_rotatelogs_disable_trans –> off
httpd_ssi_exec –> off
httpd_suexec_disable_trans –> off
httpd_tty_comm –> on
httpd_unified –> on
httpd_use_cifs –> off
httpd_use_nfs –> off

If you see the line httpd_can_network_connect_db –> off, this means that the web server is prevented from doing any network connection to the MySQL server.

To change this security setting, type the following command (as root):

setsebool -P httpd_can_network_connect_db on

Connecting to iTop from remote

If you can connect to the web server only from the machine itself, but not from a remote system, then check the firewall (iptables) configuration.

firewall-cmd --list-services

The output of the command should be something like:

dhcp-v6-client http mdns ssh

If http is not then the list, then the access to the web server will be blocked. To unblock it, launch (as root) the following command:

firewall-cmd --add-service=http
latest/install/selinux.txt · Last modified: 2024/09/10 10:25 by 127.0.0.1
Back to top
Contact us