安装Zabbix启动服务报如下错误:
4546:20170322:172341.835 Starting Zabbix Server. Zabbix 3.2.4 (revision 65975).
4546:20170322:172341.836 ****** Enabled features ******
4546:20170322:172341.836 SNMP monitoring: YES
4546:20170322:172341.836 IPMI monitoring: YES
4546:20170322:172341.836 Web monitoring: YES
4546:20170322:172341.836 VMware monitoring: YES
4546:20170322:172341.836 SMTP authentication: NO
4546:20170322:172341.836 Jabber notifications: YES
4546:20170322:172341.836 Ez Texting notifications: YES
4546:20170322:172341.836 ODBC: YES
4546:20170322:172341.836 SSH2 support: YES
4546:20170322:172341.836 IPv6 support: YES
4546:20170322:172341.836 TLS support: YES
4546:20170322:172341.836 ******************************
4546:20170322:172341.836 using configuration file: /etc/zabbix/zabbix_server.conf
4546:20170322:172341.837 cannot set resource limit: [13] Permission denied
4546:20170322:172341.837 cannot disable core dump, exiting...
查看Selinux日志错误如下:
type=AVC msg=audit(1490193042.90:426): avc: denied { setrlimit } for pid=5781 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix
_t:s0 tclass=process
type=SYSCALL msg=audit(1490193042.90:426): arch=x86_64 syscall=setrlimit success=no exit=EACCES a0=4 a1=7fffa011e310 a2=0 a3=8 items=0 ppid=1 pid=5781 auid=0 uid=495 gid=201 euid=495
suid=495 fsuid=495 egid=201 sgid=201 fsgid=201 ses=46 tty=(none) comm=zabbix_server exe=/usr/sbin/zabbix_server_mysql subj=unconfined_u:system_r:zabbix_t:s0 key=(null)
此时如果关闭selinux,zabbix可以正常启动。
setenforce 0
为了保证系统的安全不想关闭selinux。可以按照如下方式操作。
1、分析audit日志,首先安装setroubleshoot分析组件:
yum install setroubleshoot
SELinux 缺省会通过 Linux 审计系统(auditd)将日志写在 /var/log/audit/audit.log 内,而这项务服缺省为启用的。假若 auditd 并未运行,信息将会被写进 /var/log/messages。SELinux 的日志都被标签有 AVC 这个关键字,方便它们从其它信息中过滤出来。
2、生成阅读的报告
sealert -a /var/log/audit/audit.log > /opt/audit_report
3、打开阅读报告
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/zabbix_server_mysql from using the setrlimit access on a process.
***** 插件 catchall (100. 置信度) 建议 ********************************************
If 您确定应默认允许 zabbix_server_mysql setrlimit 标记为 zabbix_t 的进程。
Then 您应该将这个情况作为 bug 报告。
您可以生成本地策略模块允许这个访问。
Do
请执行以下命令此时允许这个访问:
# grep zabbix_server /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
更多信息:
源上下文 unconfined_u:system_r:zabbix_t:s0
目标上下文 unconfined_u:system_r:zabbix_t:s0
目标对象 [ process ]
源 zabbix_server
源路径 /usr/sbin/zabbix_server_mysql
端口 <未知>
主机 <未知>
源 RPM 软件包 zabbix-server-mysql-3.2.4-1.el6.x86_64
目标 RPM 软件包
策略 RPM selinux-policy-3.7.19-231.el6.noarch
Selinux 已经激活 True
策略类型 targeted
强制模式 Enforcing
主机名 DXFU
平台 Linux DXFU 3.10.5-3.el6.x86_64 #1 SMP Tue Aug 20
14:10:49 UTC 2013 x86_64 x86_64
警报计数 7
第一个 2017年03月22日 星期三 17时23分41秒
最后一个 2017年03月22日 星期三 22时30分42秒
本地 ID e92b8541-d792-4dd7-bae2-5307467bf13c
原始核查信息
type=AVC msg=audit(1490193042.90:426): avc: denied { setrlimit } for pid=5781 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix
_t:s0 tclass=process
type=SYSCALL msg=audit(1490193042.90:426): arch=x86_64 syscall=setrlimit success=no exit=EACCES a0=4 a1=7fffa011e310 a2=0 a3=8 items=0 ppid=1 pid=5781 auid=0 uid=495 gid=201 euid=495
suid=495 fsuid=495 egid=201 sgid=201 fsgid=201 ses=46 tty=(none) comm=zabbix_server exe=/usr/sbin/zabbix_server_mysql subj=unconfined_u:system_r:zabbix_t:s0 key=(null)
Hash: zabbix_server,zabbix_t,zabbix_t,process,setrlimit
audit2allow
#============= zabbix_t ==============
allow zabbix_t self:process setrlimit;
audit2allow -R
#============= zabbix_t ==============
allow zabbix_t self:process setrlimit;
4、根据报表建议操作
# grep zabbix_server /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
5、启动zabbix服务测试
service zabbix-server start
6、查看服务已正常启动。
zabbix_server (pid 6048) 正在运行...
#tail -f /var/log/zabbix/zabbix_server.log
6048:20170322:224559.790 using configuration file: /etc/zabbix/zabbix_server.conf
6048:20170322:224559.800 current database version (mandatory/optional): 03020000/03020000
6048:20170322:224559.800 required mandatory version: 03020000
6048:20170322:224559.822 server #0 started [main process]
6050:20170322:224559.823 server #1 started [configuration syncer #1]
6051:20170322:224559.824 server #2 started [db watchdog #1]
6052:20170322:224559.825 server #3 started [poller #1]
6053:20170322:224559.825 server #4 started [poller #2]
6054:20170322:224559.826 server #5 started [poller #3]
6055:20170322:224559.827 server #6 started [poller #4]
6056:20170322:224559.828 server #7 started [poller #5]
6057:20170322:224559.829 server #8 started [unreachable poller #1]
6058:20170322:224559.829 server #9 started [trapper #1]
6059:20170322:224559.830 server #10 started [trapper #2]
6060:20170322:224559.831 server #11 started [trapper #3]
6062:20170322:224559.836 server #13 started [trapper #5]
6063:20170322:224559.838 server #14 started [icmp pinger #1]
6071:20170322:224559.839 server #20 started [history syncer #1]
6061:20170322:224559.839 server #12 started [trapper #4]
6064:20170322:224559.840 server #15 started [alerter #1]
6065:20170322:224559.842 server #16 started [housekeeper #1]
6067:20170322:224559.843 server #18 started [http poller #1]
6069:20170322:224559.843 server #19 started [discoverer #1]
6073:20170322:224559.845 server #21 started [history syncer #2]
6079:20170322:224559.846 server #25 started [proxy poller #1]
6074:20170322:224559.846 server #22 started [history syncer #3]
6066:20170322:224559.847 server #17 started [timer #1]
6080:20170322:224559.848 server #26 started [self-monitoring #1]
6075:20170322:224559.848 server #23 started [history syncer #4]
6077:20170322:224559.849 server #24 started [escalator #1]
6082:20170322:224559.853 server #27 started [task manager #1]