Configure SELinux

Configure SELinux

Install the policy tool for SELinux

yum install -y policycoreutils-python

Configure the contexts needed by LibreNMS

semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/logs(/.)?' semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/logs(/.)?'
restorecon -RFvv /opt/librenms/logs/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/rrd(/.)?' semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/rrd(/.)?'
restorecon -RFvv /opt/librenms/rrd/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/storage(/.)?' semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/storage(/.)?'
restorecon -RFvv /opt/librenms/storage/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/bootstrap/cache(/.)?' semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/bootstrap/cache(/.)?'
restorecon -RFvv /opt/librenms/bootstrap/cache/
setsebool -P httpd_can_sendmail=1
setsebool -P httpd_execmem 1

Allow fping

Create the file http_fping.tt with the following contents. You can create this file anywhere, as it is a throw-away file. The last step in this procedure will install the module in the proper location.

vi http_fping.tt

module http_fping 1.0;
require {
 type httpd_t;
 class capability net_raw;
 class rawip_socket { getopt create setopt write read };
}
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };

Then run these commands:

checkmodule -M -m -o http_fping.mod http_fping.tt
semodule_package -o http_fping.pp -m http_fping.mod
semodule -i http_fping.pp

Allow access through the firewall

Run the following to add the relevant firewall rules:

firewall-cmd --zone public --add-service http
firewall-cmd --permanent --zone public --add-service http
firewall-cmd --zone public --add-service https
firewall-cmd --permanent --zone public --add-service https