Im using zabbix for monitoring ScientificLinux 7 hosts. I'm trying to make microseconds-grade latency test, so I want to parse ping's output.
With selinux enabled zabbix agent cannot use default /usr/bin/ping.
First of all I changed suid of binary.
Second, I iteratively checked audit.log and created selinux modules for all agent-related errors:
Now there is no single error in audit.log but when I try to execute this key I got "ZBX_NOTSUPPORTED" error on server and "command output exceeded limit of 512 KB" on agent:
I can disable selinux for entire zabbix_agent_t domain, of course, but I want to know what's going on with zabbix, ping and selinux.
software versions:
Zabbix Agent (daemon) v2.4.6 (revision 54796) (10 August 2015)
Linux 3.10.0-229.11.1.el7.x86_64 #1 SMP Wed Aug 5 14:37:37 CDT 2015 x86_64 x86_64 x86_64 GNU/Linux
With selinux enabled zabbix agent cannot use default /usr/bin/ping.
First of all I changed suid of binary.
Second, I iteratively checked audit.log and created selinux modules for all agent-related errors:
Code:
allow zabbix_agent_t ping_exec_t:file execute;
allow zabbix_agent_t ping_exec_t:file execute_no_trans;
allow zabbix_agent_t self:process setcap;
allow zabbix_agent_t self:rawip_socket create;
allow zabbix_agent_t self:capability net_raw;
allow zabbix_agent_t self:rawip_socket { getopt setopt };
Code:
5578:20151008:195909.748 In zbx_popen() command:'ping -c 1 localhost | grep rtt | awk '{print $4}' | cut -d '/' -f 1'
5578:20151008:195909.748 End of zbx_popen():7
6125:20151008:195909.748 zbx_popen(): executing script
5578:20151008:195909.775 In zbx_waitpid()
5578:20151008:195909.776 zbx_waitpid() exited, status:0
5578:20151008:195909.776 End of zbx_waitpid():6125
5578:20151008:195909.776 command output exceeded limit of 512 KB
software versions:
Zabbix Agent (daemon) v2.4.6 (revision 54796) (10 August 2015)
Linux 3.10.0-229.11.1.el7.x86_64 #1 SMP Wed Aug 5 14:37:37 CDT 2015 x86_64 x86_64 x86_64 GNU/Linux