Comments (9)
Thanks for posting this issue. I agree the policy should probably be included with the Zabbix agent, not this module. I'll have a play around with it and maybe raise a request with Zabbix SIA. I'll also see if I can work around it within my own packages.
I've never tested with selinux enabled (oops) and so there are probably also issues allowing the agent to connect to a database (though it should be able to connect to the network).
from libzbxpgsql.
I run it last weekend with zabbix_agent_t as permissive, the only restrictions that were met are:
allow zabbix_agent_t modules_object_t:file { execute open };
allow zabbix_agent_t postgresql_var_run_t:sock_file write;
Also I enabled the discovery rules for tables and indexes but these do not discover for now...
from libzbxpgsql.
I observed the same in trying to replicate the issue.
Unfortunately the zabbix_agent_t context is actually deployed as part of the selinux-policy-targeted
package (the CentOS default targeted policy) and is not managed by Zabbix SIA. I'm doing some research into how to raise an issue with the right people to get this addressed.
from libzbxpgsql.
I couldn't find the package maintainers for selinux-policy-targeted
so I've escalated to Zabbix in ZBX-10610.
from libzbxpgsql.
@robbrucks suggested the following via email:
module zabbix_agent_pg 1.0;
require {
type postgresql_var_run_t;
type zabbix_agent_t;
class sock_file write;
}
#============= zabbix_agent_t ==============
allow zabbix_agent_t postgresql_var_run_t:sock_file write;
from libzbxpgsql.
The above policy module I sent you is to allow the libzbxpgsql module to use the postgres socket (host=/tmp) instead of TCP stack (host=localhost). I don't think this is the solution to the problem stated above by @lvg01. I'll try to recreate the original problem he's having.
from libzbxpgsql.
@lvg01 : what versions of OS, Zabbix agent, libzbxpsql, and PG are you installing?
I get a totally different SE Linux issue on Centos 7.3, Zabbix 3.2 with libzbxpgsql 1.1 and PG 9.2:
SELinux is preventing /usr/sbin/zabbix_agentd from using the setrlimit access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that zabbix_agentd should be allowed setrlimit access on processes labeled zabbix_agent_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
\# ausearch -c 'zabbix_agentd' --raw | audit2allow -M my-zabbixagentd
\# semodule -i my-zabbixagentd.pp
Additional Information:
Source Context system_u:system_r:zabbix_agent_t:s0
Target Context system_u:system_r:zabbix_agent_t:s0
Target Objects Unknown [ process ]
Source zabbix_agentd
Source Path /usr/sbin/zabbix_agentd
Port <Unknown>
Host <Unknown>
Source RPM Packages zabbix-agent-3.2.3-1.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.13.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name iscsi.robbrucks.com
Platform Linux iscsi.robbrucks.com
3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18
13:06:36 UTC 2017 x86_64 x86_64
Alert Count 8
First Seen 2017-02-20 15:09:50 CST
Last Seen 2017-02-20 15:11:02 CST
Local ID efb1c345-c86f-4c2c-bdde-8350f5610bc5
Raw Audit Messages
type=AVC msg=audit(1487625062.33:1164): avc: denied { setrlimit } for pid=3074 comm="zabbix_agentd" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process
type=SYSCALL msg=audit(1487625062.33:1164): arch=x86_64 syscall=setrlimit success=no exit=EACCES a0=4 a1=7ffd09e50da0 a2=0 a3=7ffd09e50b20 items=0 ppid=1 pid=3074 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
Hash: zabbix_agentd,zabbix_agent_t,zabbix_agent_t,process,setrlimit
================================================================
It generates the following policy file for me:
module my-zabbixagentd 1.0;
require {
type zabbix_agent_t;
class process setrlimit;
}
#============= zabbix_agent_t ==============
allow zabbix_agent_t self:process setrlimit;
--Rob
from libzbxpgsql.
@robbrucks I'm wotking on the socket. The local zabbix-agent has the libzbxpgsql.so module loaded.
Therefore the first sugestion seems the one that is usefull for me.
For the second option, I didn't test that, with the socket the setrlimit doesn't show up.
Current versions are Centos 7.3, Zabbix 3.0, Postgresql 9.4, libzbxpgsql 1.1.0-1
from libzbxpgsql.
OK, yeah, if you're hitting the socket problem then what I originally sent to @cavaliercoder should do the trick. I had to use it too since I prefer socket connections. It just looked like the original problem you posted was an SE linux error executing the module. Best of luck!
from libzbxpgsql.
Related Issues (20)
- rpm spec file in sources HOT 2
- Database capacity on some DBs HOT 3
- Redirect or disable log HOT 29
- Connections are not closed properly, creates a lot of TCP reset (RST) HOT 1
- D-Bus connection problem HOT 2
- pg.table.discovery in state "not supported" if some database not finded
- temp utilization monitoring
- pg.table.size exclude TOAST, but pg.table.discovery exclude TOAST too
- n_live_tup and n_dead_tup are always 0 for "PostgreSQL Database estimates live/dead rows|"
- libzbxpgsql.so: undefined symbol: __zbx_zbx_snprintf HOT 3
- Failing with Error when i try to start zabbix agent : undefined symbol: __zbx_zbx_snprintf HOT 2
- Filter partitioned tables from LLD Rule `Discover PostgreSQL Databases`
- Incorrect example in documentation
- Is this an error in the template or did I miss something?
- Zabbix agent crashes trying to load module libzbxpgsql.so on AIX HOT 7
- Graph for connection count grouped by database on database server? Possible? HOT 1
- fe_sendauth: no password supplied
- cannot load modules "zabbix_module_docker.so": usr/local/zabbix/lib/modules/zabbix_module_docker.so : undefined symbol : zbx_log_level HOT 2
- Support logging from zabbix 6.4 HOT 6
- Setup CI for migrated repo HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libzbxpgsql.