Zabbix启动服务时cannot set resource limit: [13] Permission denie cannot disable core dump, exiting解决办法...

安装Zabbix启动服务报如下错误:

4546:20170322:172341.835 Starting Zabbix Server. Zabbix 3.2.4 (revision 65975).
4546:20170322:172341.836 ****** Enabled features ******
4546:20170322:172341.836 SNMP monitoring:           YES
4546:20170322:172341.836 IPMI monitoring:           YES
4546:20170322:172341.836 Web monitoring:            YES
4546:20170322:172341.836 VMware monitoring:         YES
4546:20170322:172341.836 SMTP authentication:        NO
4546:20170322:172341.836 Jabber notifications:      YES
4546:20170322:172341.836 Ez Texting notifications:  YES
4546:20170322:172341.836 ODBC:                      YES
4546:20170322:172341.836 SSH2 support:              YES
4546:20170322:172341.836 IPv6 support:              YES
4546:20170322:172341.836 TLS support:               YES
4546:20170322:172341.836 ******************************
4546:20170322:172341.836 using configuration file: /etc/zabbix/zabbix_server.conf
4546:20170322:172341.837 cannot set resource limit: [13] Permission denied
4546:20170322:172341.837 cannot disable core dump, exiting...

查看Selinux日志错误如下:

type=AVC msg=audit(1490193042.90:426): avc:  denied  { setrlimit } for  pid=5781 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix
_t:s0 tclass=process

type=SYSCALL msg=audit(1490193042.90:426): arch=x86_64 syscall=setrlimit success=no exit=EACCES a0=4 a1=7fffa011e310 a2=0 a3=8 items=0 ppid=1 pid=5781 auid=0 uid=495 gid=201 euid=495
 suid=495 fsuid=495 egid=201 sgid=201 fsgid=201 ses=46 tty=(none) comm=zabbix_server exe=/usr/sbin/zabbix_server_mysql subj=unconfined_u:system_r:zabbix_t:s0 key=(null)

此时如果关闭selinux,zabbix可以正常启动。

setenforce 0

为了保证系统的安全不想关闭selinux。可以按照如下方式操作。

1、分析audit日志,首先安装setroubleshoot分析组件:

yum install setroubleshoot

SELinux 缺省会通过 Linux 审计系统(auditd)将日志写在 /var/log/audit/audit.log 内,而这项务服缺省为启用的。假若 auditd 并未运行,信息将会被写进 /var/log/messages。SELinux 的日志都被标签有 AVC 这个关键字,方便它们从其它信息中过滤出来。

2、生成阅读的报告

sealert -a /var/log/audit/audit.log > /opt/audit_report

3、打开阅读报告

found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/zabbix_server_mysql from using the setrlimit access on a process.

*****  插件 catchall (100. 置信度) 建议  ********************************************

If 您确定应默认允许 zabbix_server_mysql setrlimit 标记为 zabbix_t 的进程。
Then 您应该将这个情况作为 bug 报告。
您可以生成本地策略模块允许这个访问。
Do
请执行以下命令此时允许这个访问:
# grep zabbix_server /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


更多信息:
源上下文                          unconfined_u:system_r:zabbix_t:s0
目标上下文                         unconfined_u:system_r:zabbix_t:s0
目标对象                           [ process ]
源                             zabbix_server
源路径                           /usr/sbin/zabbix_server_mysql
端口                            <未知>
主机                            <未知>
源 RPM 软件包                     zabbix-server-mysql-3.2.4-1.el6.x86_64
目标 RPM 软件包                    
策略 RPM                        selinux-policy-3.7.19-231.el6.noarch
Selinux 已经激活                  True
策略类型                          targeted
强制模式                          Enforcing
主机名                           DXFU
平台                            Linux DXFU 3.10.5-3.el6.x86_64 #1 SMP Tue Aug 20
                              14:10:49 UTC 2013 x86_64 x86_64
警报计数                          7
第一个                           2017年03月22日 星期三 17时23分41秒
最后一个                          2017年03月22日 星期三 22时30分42秒
本地 ID                         e92b8541-d792-4dd7-bae2-5307467bf13c

原始核查信息
type=AVC msg=audit(1490193042.90:426): avc:  denied  { setrlimit } for  pid=5781 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix
_t:s0 tclass=process

type=SYSCALL msg=audit(1490193042.90:426): arch=x86_64 syscall=setrlimit success=no exit=EACCES a0=4 a1=7fffa011e310 a2=0 a3=8 items=0 ppid=1 pid=5781 auid=0 uid=495 gid=201 euid=495
 suid=495 fsuid=495 egid=201 sgid=201 fsgid=201 ses=46 tty=(none) comm=zabbix_server exe=/usr/sbin/zabbix_server_mysql subj=unconfined_u:system_r:zabbix_t:s0 key=(null)
Hash: zabbix_server,zabbix_t,zabbix_t,process,setrlimit

audit2allow

#============= zabbix_t ==============
allow zabbix_t self:process setrlimit;

audit2allow -R

#============= zabbix_t ==============
allow zabbix_t self:process setrlimit;

4、根据报表建议操作

# grep zabbix_server /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

5、启动zabbix服务测试

service zabbix-server start

6、查看服务已正常启动。

zabbix_server (pid  6048) 正在运行...
#tail -f /var/log/zabbix/zabbix_server.log
 6048:20170322:224559.790 using configuration file: /etc/zabbix/zabbix_server.conf
  6048:20170322:224559.800 current database version (mandatory/optional): 03020000/03020000
  6048:20170322:224559.800 required mandatory version: 03020000
  6048:20170322:224559.822 server #0 started [main process]
  6050:20170322:224559.823 server #1 started [configuration syncer #1]
  6051:20170322:224559.824 server #2 started [db watchdog #1]
  6052:20170322:224559.825 server #3 started [poller #1]
  6053:20170322:224559.825 server #4 started [poller #2]
  6054:20170322:224559.826 server #5 started [poller #3]
  6055:20170322:224559.827 server #6 started [poller #4]
  6056:20170322:224559.828 server #7 started [poller #5]
  6057:20170322:224559.829 server #8 started [unreachable poller #1]
  6058:20170322:224559.829 server #9 started [trapper #1]
  6059:20170322:224559.830 server #10 started [trapper #2]
  6060:20170322:224559.831 server #11 started [trapper #3]
  6062:20170322:224559.836 server #13 started [trapper #5]
  6063:20170322:224559.838 server #14 started [icmp pinger #1]
  6071:20170322:224559.839 server #20 started [history syncer #1]
  6061:20170322:224559.839 server #12 started [trapper #4]
  6064:20170322:224559.840 server #15 started [alerter #1]
  6065:20170322:224559.842 server #16 started [housekeeper #1]
  6067:20170322:224559.843 server #18 started [http poller #1]
  6069:20170322:224559.843 server #19 started [discoverer #1]
  6073:20170322:224559.845 server #21 started [history syncer #2]
  6079:20170322:224559.846 server #25 started [proxy poller #1]
  6074:20170322:224559.846 server #22 started [history syncer #3]
  6066:20170322:224559.847 server #17 started [timer #1]
  6080:20170322:224559.848 server #26 started [self-monitoring #1]
  6075:20170322:224559.848 server #23 started [history syncer #4]
  6077:20170322:224559.849 server #24 started [escalator #1]
  6082:20170322:224559.853 server #27 started [task manager #1]

 

转载于:https://my.oschina.net/u/209161/blog/865056

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值