cacti
cacti copied to clipboard
Cacti
Detect SELinux status for both web and web+smtp
Cacti should have warnings when SELinux is on during installation/upgrade to help notify users of the potential issues that it can bring.
This should also be done during the SMTP tests to determine if SMTP can be performed directly from PHP/apache/nginx. When SELinux is enforced and httpd_can_network_connect is not set, then any SMTP attempt will fail. This may give misleading messages when run from command line as the command line may have access where the web does not.
See Stack Overflow for more information on commands that can be utilised to perform the detection. Note: most systems will not have SELinux enabled by default (ubuntu server does not, nor did FreeBSD for me).
We should also detect mod_security too. That will bugger things up too. I've seen some Cacti posts on how to avoid the problems, but every plugin may have it's own rule set. So, we will have to think about that.
SELinux is a bit of a tricker beast to detect because there's a difference between the system being enabled and having the tools to query it. Normally, you would have both or none but there is a possibility you don't.
I've seen suggestions like using 'getsebool' or 'getenforce' but again, the locations of these can be slightly different if they exist.
Again with mod_security, if we are installed via apache as a module, then all is good and we can probably detect it (as per Detect if mod security is installed with php. If it's installed as PHP-FPM though, we don't have direct access to Apache so I'm not sure that we can detect it.
