zabbix在由于selinux开启时permission deny

1、监控脚本

  1. [root@docker tmp]# ll /etc/zabbix/alertscripts/tcp_status.sh
  2. -rwxr-xr-x. 1 root root 1033 Jul 18 11:08 /etc/zabbix/alertscripts/tcp_status.sh
  3. [root@docker tmp]# cat /etc/zabbix/alertscripts/tcp_status.sh
  4. #!/bin/bash
  5. ############################################################
  6. # $Name: zabbix_tcp_plugins.sh
  7. # $Version: v1.0
  8. # $Function: zabbix plugins
  9. # $Author: Chuck.Ma
  10. # $organization: www.52devops.com
  11. # $Create Date: 2016-07-06
  12. # $Description: Monitor Linux Service TCP Status
  13. ############################################################
  14. tcp_status_fun(){
  15. TCP_STAT=$1
  16. #netstat -n | awk '/^tcp/ {++state[$NF]} END {for(key in state) print key,state[key]}' > /tmp/netstat.tmp
  17. ss -ant | awk 'NR>1 {++s[$1]} END {for(k in s) print k,s[k]}' > /tmp/netstat.tmp
  18. TCP_STAT_VALUE=$(grep "$TCP_STAT" /tmp/netstat.tmp | cut -d ' ' -f2)
  19. if [ -z $TCP_STAT_VALUE ];then
  20. TCP_STAT_VALUE=0
  21. fi
  22. echo $TCP_STAT_VALUE
  23. }
  24. main(){
  25. case $1 in
  26. tcp_status)
  27. tcp_status_fun $2;
  28. ;;
  29. *)
  30. echo "Usage: $0 {tcp_status key}"
  31. esac
  32. }
  33. main $1 $2

2、权限状况

  • tmp下文件和目录
  1. [root@docker tmp]# ll /tmp/
  2. total 2824
  3. -rw-r--r--. 1 root root 2637998 Jul 18 12:29 iostat_output
  4. -rwx------. 1 root root 827 Jul 15 15:47 ks-script-KYtqdU
  5. -rw-r--r--. 1 zabbix zabbix 30 Jul 18 12:26 netstat.tmp
  6. -rw-------. 1 root root 0 Jul 15 15:42 yum.log
  • zabbix_get报错
  1. [root@zq-salt-zabbix tmp]# zabbix_get -s 10.4.13.3 -k linux_status[tcp_status,SYN-RECV]
  2. /etc/zabbix/alertscripts/tcp_status.sh: line 14: /tmp/netstat.tmp: Permission denied
  3. grep: /tmp/netstat.tmp: Permission denied
  4. 0
  • strace 发现以下问题
  1. shell>> strace zabbix_get -s 127.0.0.1 -k linux_status[tcp_status,SYN-RECV]
  2. mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8f941ff000
  3. write(1, "/etc/zabbix/alertscripts/tcp_sta"..., 85/etc/zabbix/alertscripts/tcp_status.sh: line 14: /tmp/netstat.tmp: Permission denied
  4. ) = 85
  5. write(1, "grep: /tmp/netstat.tmp: Permissi"..., 42grep: /tmp/netstat.tmp: Permission denied
  6. ) = 42

3、问题发现

根据上述情况,发现权限根本没有任何异常情况,使用zabbix用户grep也没有问题,本地zabbix_get就会出现相关问题,所以认为可能是zabbix应用导致的,但是同样是布置在两台机器上,10.4.13.3这个就有问题,所以开始对比两台环境,发现问题机上面开启了selinux,情景如下。

  1. [root@docker ~]# sestatus
  2. SELinux status: enabled
  3. SELinuxfs mount: /sys/fs/selinux
  4. SELinux root directory: /etc/selinux
  5. Loaded policy name: targeted
  6. Current mode: enforcing
  7. Mode from config file: enforcing
  8. Policy MLS status: enabled
  9. Policy deny_unknown status: allowed
  10. Max kernel policy version: 28
  11. [root@docker ~]# cat /etc/selinux/config
  12. # This file controls the state of SELinux on the system.
  13. # SELINUX= can take one of these three values:
  14. # enforcing - SELinux security policy is enforced.
  15. # permissive - SELinux prints warnings instead of enforcing.
  16. # disabled - No SELinux policy is loaded.
  17. SELINUX=enforcing
  18. # SELINUXTYPE= can take one of three two values:
  19. # targeted - Targeted processes are protected,
  20. # minimum - Modification of targeted policy. Only selected processes are protected.
  21. # mls - Multi Level Security protection.
  22. SELINUXTYPE=targeted

4、解决办法

临时关闭selinux并修改配置文件,在下次启动时就关闭seliunx

  1. [root@docker ~]# setenforce 0
  2. [root@docker ~]# sestatus
  3. SELinux status: enabled
  4. SELinuxfs mount: /sys/fs/selinux
  5. SELinux root directory: /etc/selinux
  6. Loaded policy name: targeted
  7. Current mode: permissive
  8. Mode from config file: enforcing
  9. Policy MLS status: enabled
  10. Policy deny_unknown status: allowed
  11. Max kernel policy version: 28
  12. [root@docker ~]# vim /etc/selinux/config
  13. # This file controls the state of SELinux on the system.
  14. # SELINUX= can take one of these three values:
  15. # enforcing - SELinux security policy is enforced.
  16. # permissive - SELinux prints warnings instead of enforcing.
  17. # disabled - No SELinux policy is loaded.
  18. SELINUX=disabled
  19. # SELINUXTYPE= can take one of three two values:
  20. # targeted - Targeted processes are protected,
  21. # minimum - Modification of targeted policy. Only selected processes are protected.
  22. # mls - Multi Level Security protection.
  23. SELINUXTYPE=targeted
1
未经许可,不得转载,否则将受到作者追究,博主联系方式见首页右上角

该文章由 发布

这货来去如风,什么鬼都没留下!!!
发表我的评论
取消评论
代码 贴图 加粗 链接 删除线 签到