I'm having a problem with a file accesed by ZAbbix to proccess all the SNMP trap data using a file /var/log/snmptt/snmptt.log
.
ZAbbix_proxy.log
23323:20140430:105246.532 sleeping for 5 seconds
23329:20140430:105247.070 cannot open [/var/log/snmptt/snmptt.log]: [13] Permission denied
23329:20140430:105247.070 sleeping for 1 seconds
23329:20140430:105248.070 cannot open [/var/log/snmptt/snmptt.log]: [13] Permission denied
23329:20140430:105248.071 sleeping for 1 seconds
23329:20140430:105249.071 cannot open [/var/log/snmptt/snmptt.log]: [13] Permission denied
23329:20140430:105249.071 sleeping for 1 seconds
SE Linux Audit log.
time->Wed Apr 30 09:58:11 2014
type=SYSCALL msg=audit(1398869891.560:41198): arch=c000003e syscall=2 success=no exit=-13 a0=16ffee0 a1=0 a2=1 a3=8 items=0 ppid=23309 pid=23329 auid=4294967295 uid=995 gid=996 euid=995 suid=995 fsuid=995 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="zabbix_proxy" exe="/usr/sbin/zabbix_proxy_sqlite3" subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(1398869891.560:41198): avc: denied { read } for pid=23329 comm="zabbix_proxy" name="snmptt.log" dev="dm-5" ino=133641 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Wed Apr 30 09:58:12 2014
type=SYSCALL msg=audit(1398869892.560:41199): arch=c000003e syscall=2 success=no exit=-13 a0=16ffee0 a1=0 a2=1 a3=8 items=0 ppid=23309 pid=23329 auid=4294967295 uid=995 gid=996 euid=995 suid=995 fsuid=995 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="zabbix_proxy" exe="/usr/sbin/zabbix_proxy_sqlite3" subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(1398869892.560:41199): avc: denied { read } for pid=23329 comm="zabbix_proxy" name="snmptt.log" dev="dm-5" ino=133641 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
I don't understand SELinux.
Anyone knows what flag i need to activate on file to avoid this file access denied messages from SELinux
???
Best Answer
Unfortunately, there's no such "flag". The closest would be a
boolean
, and according thezabbix_selinux(8)
manpage, there's noboolean
defined to grant read access to a log file in an arbitrary location.You don't give details regarding the actual labeling of the files under the
/var/log/snmptt/
directory. The expected labeling may or may not match the expected label of other SNMP related log files, as persemanage()
:The solution, then, would be to grant
zabbix
read access to those logfiles. Filter you audit log usingaudit2allow(1)
:The procedure to build a custom module is detailed in the
audit2allow(1)
manpage.You'd normally build a module, install or update it, and test the behavior of your application under the new security restrictions, and further refine the module. This is easily done putting your machine in
permissive
mode while you test/develop a new module. Usesetenforce(8)
to do that.