selinux 导致 2 个错误:httpd 写入访问 mysql 和 zabbix 搜索 mysql

tag-icon tag-icon mysql selinux zabbix
selinux 导致 2 个错误:httpd 写入访问 mysql 和 zabbix 搜索 mysql

我有一个类似的问题: Zabbix 服务器 SELinux 策略

但有一点不同: 我有一个在 RHEL 6 上运行的 Zabbix 服务器,当我启用 selinux 时,出现此错误:

Error connecting to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)

然后我从 /var/log/message 中发现了一些错误消息:

Jun  1 00:19:02 ns1 setroubleshoot: SELinux is preventing /usr/sbin/httpd from write access on the sock_file mysql.sock. For complete SELinux messages. run sealert -l 65dd779a-a01b-42de-9aaf-65795758aba1


Jun  1 00:04:52 ns1 setroubleshoot: SELinux is preventing /usr/sbin/zabbix_server_mysql from search access on the directory /var/lib/mysql. For complete SELinux messages. run sealert -l bdfa536a-e059-4598-8284-4d40c218078f

然后我遵循了建议:

[root@ns1 ~]# sealert -l 65dd779a-a01b-42de-9aaf-65795758aba1


SELinux is preventing /usr/sbin/httpd from write access on the sock_file mysql.sock.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that httpd should be allowed write access on the mysql.sock sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:zabbix_exec_t:s0
Target Objects                mysql.sock [ sock_file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>

......

然后我执行了命令:

grep httpd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

之后,问题1解决了,但是它说Zabbix服务器没有运行,所以我按照下面的建议来解决问题2:

[root@ns1 ~]# sealert -l bdfa536a-e059-4598-8284-4d40c218078f

SELinux is preventing /usr/sbin/zabbix_server_mysql from search access on the directory /var/lib/mysql.

......

您可以生成本地策略模块以允许此访问。现在通过执行以下命令允许此访问:

grep zabbix_server /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

......

[root@ns1 ~]# grep zabbix_server /var/log/audit/audit.log | audit2allow -M mypol

[root@ns1 ~]# semodule -i mypol.pp

在我执行了解决问题2的命令之后,问题1又出现了,请告诉我该怎么办,我不想禁用selinux,非常感谢。顺便说一下,我已经设置了httpd_can_network_connect = 1

数据库连接错误截图

答案1

我知道这很旧了,但我在安装 Zabbix 5 时遇到了同样的问题。

跑步后

# dnf -y install policycoreutils-python-utils
# grep "denied.*zabbix" /var/log/audit/audit.log | audit2allow -M zabbix_policy
# semodule -i zabbix_policy.pp

如下所述https://bestmonitoringtools.com/how-to-install-zabbix-server-on-centos-or-rhel/#Step_12_Enable_and_configure_SELinux_on_Zabbix我也得跑

grep "denied.*php-fpm" /var/log/audit/audit.log | audit2allow -M php-fpm_policy
semodule -i php-fpm_policy.pp

这些命令与

setsebool -P httpd_can_connect_zabbix 1
setsebool -P zabbix_can_network 1
setenforce 1 && sed -i 's/^SELINUX=.*/SELINUX=enforcing/g' /etc/selinux/config

允许我充分使用启用 SELinux 的 Zabbix。

相关内容