在 keepalived 中执行 netstat 命令时,有没有办法通过 selinux 安全性?我在 keepalived 的 vrrp_scrpt 中执行 netstat 时收到以下消息。我的目标是在端口关闭时监控 udp/2048 更改主端口和备用端口。
Nov 24 02:36:25 server1 setroubleshoot: SELinux is preventing /usr/bin/netstat from using the getattr access on a process. For complete SELinux messages. run sealert -l 09a907de-253e-4c61-8506-1c247c1daf11
Nov 24 02:36:25 server1 python: SELinux is preventing /usr/bin/netstat from using the getattr access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that netstat should be allowed getattr access on processes labeled tuned_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep netstat /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
我的环境如下。
[root@server230 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.1 (Maipo)
[root@server230 ~]# rpm -qa | grep keepalived
keepalived-1.2.13-8.el7.x86_64
我的 keepalived 配置如下。
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 60
}
vrrp_script chk_logstash {
script "netstat -atunp | grep 2048 &>/dev/null"
interval 2 # every 2 seconds
weight 2 # add 2 points if OK
}
vrrp_instance RH_1 {
state MASTER
interface eth0
virtual_router_id 50
priority 10
advert_int 1
virtual_ipaddress {
192.168.11.250/24
}
track_script {
chk_logstash
}
}
netstat 和 keepalived 进程处于 selinux 上下文之下
[root@server230 ~]# ls -lZ /usr/bin/netstat
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/netstat
[root@server230 ~]# ps -eZ | grep keepalived
system_u:system_r:keepalived_t:s0 2913 ? 00:00:00 keepalived
system_u:system_r:keepalived_t:s0 2914 ? 00:00:00 keepalived
system_u:system_r:keepalived_t:s0 2915 ? 00:00:00 keepalived
system_u:system_r:keepalived_t:s0 4609 ? 00:00:00 keepalived