zoukankan      html  css  js  c++  java
  • zabbix-agent 在SElinux Enforcing 状态的文件权限问题及解决办法

    因为某种原因必须要开启SElinux,用yum装了一个zabbix-agent 替换了一下配置文件结果悲剧了

    # systemctl restart zabbix-agent 

    ● zabbix-agent.service - Zabbix Agent
    Loaded: loaded (/usr/lib/systemd/system/zabbix-agent.service; enabled; vendor preset: disabled)
    Active: failed (Result: start-limit) since Thu 2019-04-11 10:28:32 UTC; 10s ago
    Process: 5234 ExecStop=/bin/kill -SIGTERM $MAINPID (code=exited, status=0/SUCCESS)
    Process: 5216 ExecStart=/usr/sbin/zabbix_agentd -c $CONFFILE (code=exited, status=0/SUCCESS)
    Main PID: 5218 (code=exited, status=0/SUCCESS)

    Apr 11 10:28:31 ip-172-16-210-219.us-west-2.compute.internal systemd[1]: Starting Zabbix Agent...
    Apr 11 10:28:31 ip-172-16-210-219.us-west-2.compute.internal systemd[1]: zabbix-agent.service: Supervising process 5218 which is not our child. We'll most likely not notice when it exits.
    Apr 11 10:28:31 ip-172-16-210-219.us-west-2.compute.internal systemd[1]: Started Zabbix Agent.
    Apr 11 10:28:32 ip-172-16-210-219.us-west-2.compute.internal systemd[1]: Stopping Zabbix Agent...
    Apr 11 10:28:32 ip-172-16-210-219.us-west-2.compute.internal systemd[1]: start request repeated too quickly for zabbix-agent.service
    Apr 11 10:28:32 ip-172-16-210-219.us-west-2.compute.internal systemd[1]: Failed to start Zabbix Agent.
    Apr 11 10:28:32 ip-172-16-210-219.us-west-2.compute.internal systemd[1]: Unit zabbix-agent.service entered failed state.
    Apr 11 10:28:32 ip-172-16-210-219.us-west-2.compute.internal systemd[1]: zabbix-agent.service failed.

    第一时间想到是不是selinux的问题

    # getenforce

    Enforcing

    # setenforce 0

    设置成selinux Permissive模式发现就好了

    # tail -f /var/log/messages |grep zabbix

    Apr 11 10:44:23 ip-172-16-210-243 zabbix_agentd: zabbix_agentd [16785]: cannot open config file "/etc/zabbix/zabbix_agentd.conf": [13] Permission denied
    Apr 11 10:44:23 ip-172-16-210-243 systemd: zabbix-agent.service: control process exited, code=exited status=1
    Apr 11 10:44:23 ip-172-16-210-243 systemd: Unit zabbix-agent.service entered failed state.
    Apr 11 10:44:23 ip-172-16-210-243 systemd: zabbix-agent.service failed.

    可以看到是/etc/zabbix/zabbix_agentd.conf这个文件的问题

    # tail -f /var/log/audit/audit.log |grep zabbix

    type=AVC msg=audit(1554979672.948:2028728): avc: denied { read } for pid=19011 comm="zabbix_agentd" name="zabbix_agentd.conf" dev="nvme0n1p1" ino=4196160 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
    type=SYSCALL msg=audit(1554979672.948:2028728): arch=c000003e syscall=2 success=no exit=-13 a0=55e256f55190 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=19011 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zabbix_agentd" exe="/usr/sbin/zabbix_agentd" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
    type=SERVICE_START msg=audit(1554979672.955:2028729): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=zabbix-agent comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

    基本上可以定位问题了zabbix_agentd.conf 跟zabbix_agentd进程的安全上下文不符合所以没权限读取zabbix_agentd.conf文件

    先看一下文件和进程的安全上下文类型

    # ls -Z /etc/zabbix/zabbix_agentd.conf

    -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/zabbix/zabbix_agentd.conf

    # semanage fcontext -l |grep zabbix

    /var/log/zabbix.* all files system_u:object_r:zabbix_log_t:s0
    /etc/zabbix/web(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
    /var/lib/zabbix(/.*)? all files system_u:object_r:zabbix_var_lib_t:s0
    /var/run/zabbix(/.*)? all files system_u:object_r:zabbix_var_run_t:s0
    /etc/rc.d/init.d/(zabbix|zabbix-server) regular file system_u:object_r:zabbix_initrc_exec_t:s0
    /var/lib/zabbixsrv(/.*)? all files system_u:object_r:zabbix_var_lib_t:s0
    /usr/lib/zabbix/externalscripts(/.*)? all files system_u:object_r:zabbix_script_exec_t:s0
    /var/lib/zabbix/externalscripts(/.*)? all files system_u:object_r:zabbix_script_exec_t:s0
    /usr/bin/zabbix_server regular file system_u:object_r:zabbix_exec_t:s0
    /usr/bin/zabbix_agentd regular file system_u:object_r:zabbix_agent_exec_t:s0
    /usr/sbin/zabbix_proxy regular file system_u:object_r:zabbix_exec_t:s0
    /usr/sbin/zabbix_agentd regular file system_u:object_r:zabbix_agent_exec_t:s0
    /usr/sbin/zabbix_server regular file system_u:object_r:zabbix_exec_t:s0
    /usr/sbin/zabbix_proxy_mysql regular file system_u:object_r:zabbix_exec_t:s0
    /usr/sbin/zabbix_proxy_pgsql regular file system_u:object_r:zabbix_exec_t:s0
    /usr/sbin/zabbix_server_mysql regular file system_u:object_r:zabbix_exec_t:s0
    /usr/sbin/zabbix_server_pgsql regular file system_u:object_r:zabbix_exec_t:s0
    /etc/rc.d/init.d/zabbix-agentd regular file system_u:object_r:zabbix_agent_initrc_exec_t:s0
    /usr/sbin/zabbix_proxy_sqlite3 regular file system_u:object_r:zabbix_exec_t:s0
    /usr/sbin/zabbix_server_sqlite3 regular file system_u:object_r:zabbix_exec_t:s0

    解决方法

    主要是文件的安全上下文类型不符合,用systemd启动的服务会有问题 直接 zabbix-agent -c /etc/zabbix/zabbix_agentd.conf 启动是没问题的

    # chcon -t etc_t /etc/zabbix/zabbix_agentd.conf
    # chcon -u system_u /etc/zabbix/zabbix_agentd.conf # 非必要
    # ls -Z /etc/zabbix/zabbix_agentd.conf 

    -rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/zabbix/zabbix_agentd.conf

    或者直接从别的文件拷贝安全上下文设置

    # chcon --reference=/etc/zabbix/zabbix_agentd.d/userparameter_mysql.conf /etc/zabbix/zabbix_agentd.conf

    问题二在/etc/zabbix/zabbix_agentd.conf加了一个配置

    UserParameter=lvm.used,sudo -u root lvs |awk '{sum=$5+$6} END {print sum}'

    测试一下

    # zabbix_get -s 172.16.210.219 -k lvm.used

    sh: /usr/bin/sudo: Permission denied

    已经确定有zabbix 用户有sudo权限,那应该还是selinux的问题

    # tail -f /var/log/audit/audit.log |grep zabbix

    type=SYSCALL msg=audit(1554981718.821:2030328): arch=c000003e syscall=59 success=no exit=-13 a0=24abe30 a1=24ac490 a2=24aada0 a3=7ffeca2d9e20 items=0 ppid=40804 pid=40805 auid=4294967295 uid=993 gid=989 euid=993 suid=993 fsuid=993 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
    type=AVC msg=audit(1554981718.821:2030329): avc: denied { execute } for pid=40805 comm="sh" name="sudo" dev="nvme0n1p1" ino=13122559 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=0
    type=SYSCALL msg=audit(1554981718.821:2030329): arch=c000003e syscall=21 success=no exit=-13 a0=24abe30 a1=1 a2=7ffeca2da8a0 a3=7ffeca2d9e20 items=0 ppid=40804 pid=40805 auid=4294967295 uid=993 gid=989 euid=993 suid=993 fsuid=993 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)

    因为涉及到系统组件这里就不推荐修改文件的安全上下文了

    # semanage permissive -a zabbix_agent_t   #把zabbix进程加入宽松模式
    # semanage permissive -d zabbix_agent_t   #删除
  • 相关阅读:
    [转]ARM QT实现多点触摸
    Accessors are only available when targeting ECMAScript 5 and higher 错误提示
    设置全局变量
    ERROR Error: Cannot find module ‘vueloaderv16/package.json‘
    JVM系列三:JVM参数设置、分析
    HDU 1407 测试你是否和LTC水平一样高
    HDU 1276 士兵队列训练问题
    python类的学习笔记1
    manjaro更新到了20版本fcitx5出问题的解决方法
    图片网站
  • 原文地址:https://www.cnblogs.com/37yan/p/10691661.html
Copyright © 2011-2022 走看看