Hey guys,.
I have a centos 7 machine I'm using as a zabbix server. And I noticed that apache won't start, with this complaint in the error log:
(13)Permission denied: AH00091: httpd: could not open error log file /var/log/zabbix_error_log. AH00015: Unable to open logs
I tried having a look at audit2allow and this is the response I get back:
[root@monitor2:/etc/httpd] #grep http /var/log/audit/audit.log | audit2allow
#============= httpd_t ============== allow httpd_t zabbix_log_t:file open;
How can I turn that bit of information into a rule that allows apache access to this zabbix log file?
I notice that if I disable selinux using setenfor 0, apache starts up without complaint. But I would rather not leave it disabled.
Thanks, Tim
Try something like:
grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix semodule -i zabbix.pp
On 16/06/15 15:58, Tim Dunphy wrote:
Hey guys,.
I have a centos 7 machine I'm using as a zabbix server. And I noticed that apache won't start, with this complaint in the error log:
(13)Permission denied: AH00091: httpd: could not open error log file /var/log/zabbix_error_log. AH00015: Unable to open logs
I tried having a look at audit2allow and this is the response I get back:
[root@monitor2:/etc/httpd] #grep http /var/log/audit/audit.log | audit2allow
#============= httpd_t ============== allow httpd_t zabbix_log_t:file open;
How can I turn that bit of information into a rule that allows apache access to this zabbix log file?
I notice that if I disable selinux using setenfor 0, apache starts up without complaint. But I would rather not leave it disabled.
Thanks, Tim
Try something like: grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix semodule -i zabbix.pp
Thanks for your response! However this is what happens when I try to install the module:
[root@monitor2:~] #semodule -i zabbix.pp libsepol.print_missing_requirements: zabbix's global requirements were not met: type/attribute zabbix_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!
Any other thoughts?
Thanks, Tim
On Wed, Jun 17, 2015 at 5:32 AM, Harold Toms h.toms@qmul.ac.uk wrote:
Try something like:
grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix semodule -i zabbix.pp
On 16/06/15 15:58, Tim Dunphy wrote:
Hey guys,.
I have a centos 7 machine I'm using as a zabbix server. And I noticed that apache won't start, with this complaint in the error log:
(13)Permission denied: AH00091: httpd: could not open error log file /var/log/zabbix_error_log. AH00015: Unable to open logs
I tried having a look at audit2allow and this is the response I get back:
[root@monitor2:/etc/httpd] #grep http /var/log/audit/audit.log | audit2allow
#============= httpd_t ============== allow httpd_t zabbix_log_t:file open;
How can I turn that bit of information into a rule that allows apache access to this zabbix log file?
I notice that if I disable selinux using setenfor 0, apache starts up without complaint. But I would rather not leave it disabled.
Thanks, Tim
-- regards
Harold Toms http://iodine.chem.qmul.ac.uk "Priestley's works... tended to unsettle every thing, and yet settled nothing."
- Samuel Johnson.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 17/06/15 15:27, Tim Dunphy wrote:
Try something like: grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix semodule -i zabbix.pp
Thanks for your response! However this is what happens when I try to install the module:
[root@monitor2:~] #semodule -i zabbix.pp libsepol.print_missing_requirements: zabbix's global requirements were not met: type/attribute zabbix_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!
Any other thoughts?
Thanks, Tim
That's because there's already a zabbix module loaded (the message isn't very informative!). I forgot that the received wisdom is to insert "my" in front of ones own modules i.e.:
grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix semodule -i myzabbix.pp
That's because there's already a zabbix module loaded (the message isn't very informative!). I forgot that the received wisdom is to insert "my" in front of ones own modules i.e.: grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix semodule -i myzabbix.pp
Hmm no luck there either:
[root@monitor2:~] #semodule -i myzabbix.pp *semodule: Failed on myzabbix.pp!*
I also tried:
[root@monitor2:~] #semodule -i my_zabbix semodule: Failed on my_zabbix!
And
[root@monitor2:~] #semodule -i my-zabbix semodule: Failed on my-zabbix!
Just in case.. none of that worked.
Got any other ideas? :)
Tim
On Wed, Jun 17, 2015 at 11:24 AM, Harold Toms h.toms@qmul.ac.uk wrote:
On 17/06/15 15:27, Tim Dunphy wrote:
Try something like:
grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix semodule -i zabbix.pp
Thanks for your response! However this is what happens when I try to install the module:
[root@monitor2:~] #semodule -i zabbix.pp libsepol.print_missing_requirements: zabbix's global requirements were not met: type/attribute zabbix_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!
Any other thoughts?
Thanks, Tim
That's because there's already a zabbix module loaded (the message isn't very informative!). I forgot that the received wisdom is to insert "my" in front of ones own modules i.e.:
grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix semodule -i myzabbix.pp
-- regards
Harold Toms http://iodine.chem.qmul.ac.uk "Priestley's works... tended to unsettle every thing, and yet settled nothing."
- Samuel Johnson.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 17/06/15 16:29, Tim Dunphy wrote:
That's because there's already a zabbix module loaded (the message isn't very informative!). I forgot that the received wisdom is to insert "my" in front of ones own modules i.e.: grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix semodule -i myzabbix.pp
Hmm no luck there either:
[root@monitor2:~] #semodule -i myzabbix.pp *semodule: Failed on myzabbix.pp!*
I also tried:
[root@monitor2:~] #semodule -i my_zabbix semodule: Failed on my_zabbix!
And
[root@monitor2:~] #semodule -i my-zabbix semodule: Failed on my-zabbix!
Just in case.. none of that worked.
Got any other ideas? :)
Tim
What turns up in myzabbix.te?
What turns up in myzabbix.te?
Same deal. :(
#semodule -i myzabbix.te semodule: Failed on myzabbix.te!
sigh... but thanks any other clues?
On Wed, Jun 17, 2015 at 11:42 AM, Harold Toms h.toms@qmul.ac.uk wrote:
On 17/06/15 16:29, Tim Dunphy wrote:
That's because there's already a zabbix module loaded (the message isn't
very informative!). I forgot that the received wisdom is to insert "my" in front of ones own modules i.e.: grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix semodule -i myzabbix.pp
Hmm no luck there either:
[root@monitor2:~] #semodule -i myzabbix.pp *semodule: Failed on myzabbix.pp!*
I also tried:
[root@monitor2:~] #semodule -i my_zabbix semodule: Failed on my_zabbix!
And
[root@monitor2:~] #semodule -i my-zabbix semodule: Failed on my-zabbix!
Just in case.. none of that worked.
Got any other ideas? :)
Tim
What turns up in myzabbix.te?
-- regards
Harold Toms http://iodine.chem.qmul.ac.uk "Priestley's works... tended to unsettle every thing, and yet settled nothing."
- Samuel Johnson.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 17/06/15 17:43, Tim Dunphy wrote:
What turns up in myzabbix.te?
Same deal. :(
#semodule -i myzabbix.te semodule: Failed on myzabbix.te!
sigh... but thanks any other clues?
Sorry, I didn't put that very clearly. Could you show us the contents of myzabbix.te.
Sorry, I didn't put that very clearly. Could you show us the contents of myzabbix.te.
No prob! Thanks for all the help! But in searching my system I don't find anything of the sort.
[root@monitor2:~] #updatedb [root@monitor2:~] #locate myzabbix.te [root@monitor2:~] #find / -name "myzabbix.*"
I also did search using 'yum provides' to find something similar. But wasn't' able to find anything.
yum provides "*/myzabbix.*" ... No matches found
Maybe I'll need to install a package?
Thanks, Tim
On Wed, Jun 17, 2015 at 2:10 PM, Harold Toms h.toms@qmul.ac.uk wrote:
On 17/06/15 17:43, Tim Dunphy wrote:
What turns up in myzabbix.te?
Same deal. :(
#semodule -i myzabbix.te semodule: Failed on myzabbix.te!
sigh... but thanks any other clues?
Sorry, I didn't put that very clearly. Could you show us the contents of myzabbix.te.
-- regards
Harold Toms URL: http://iodine.chem.qmul.ac.uk
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wed, Jun 17, 2015 at 03:30:51PM -0400, Tim Dunphy wrote:
No prob! Thanks for all the help! But in searching my system I don't find anything of the sort.
[root@monitor2:~] #updatedb [root@monitor2:~] #locate myzabbix.te [root@monitor2:~] #find / -name "myzabbix.*"
I also did search using 'yum provides' to find something similar. But wasn't' able to find anything.
What we're asking for is the contents of the .te file that is created when you run audit2allow.
On 06/17/2015 04:03 PM, Jonathan Billings wrote:
On Wed, Jun 17, 2015 at 03:30:51PM -0400, Tim Dunphy wrote:
No prob! Thanks for all the help! But in searching my system I don't find anything of the sort.
[root@monitor2:~] #updatedb [root@monitor2:~] #locate myzabbix.te [root@monitor2:~] #find / -name "myzabbix.*"
I also did search using 'yum provides' to find something similar. But wasn't' able to find anything.
What we're asking for is the contents of the .te file that is created when you run audit2allow.
Go back to the original email and do what you were told
# grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix # semodule -i myzabbix.pp
You did audit2allow -M zabbix
Which created zabbix.te and zabbix.pp, which is bad. It will attempt to replace the system module.
If you use myzappix, it will add the allow rules.
Hey guys,
Thanks! That worked.
[root@monitor2:~] #grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i myzabbix.pp
[root@monitor2:~] #semodule -i myzabbix.pp [root@monitor2:~] #lsof -i :80 [root@monitor2:~] #systemctl start httpd [root@monitor2:~] #lsof -i :80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 18664 root 4u IPv6 12477027 0t0 TCP *:http (LISTEN) httpd 18665 apache 4u IPv6 12477027 0t0 TCP *:http (LISTEN) httpd 18666 apache 4u IPv6 12477027 0t0 TCP *:http (LISTEN) httpd 18667 apache 4u IPv6 12477027 0t0 TCP *:http (LISTEN) httpd 18668 apache 4u IPv6 12477027 0t0 TCP *:http (LISTEN) httpd 18669 apache 4u IPv6 12477027 0t0 TCP *:http (LISTEN) [root@monitor2:~] #getenforce Enforcing
Definitely appreciate the help and sorry if there was any confusion on my part. All set at this point!
Best, Tim
On Wed, Jun 17, 2015 at 4:11 PM, Daniel J Walsh dwalsh@redhat.com wrote:
On 06/17/2015 04:03 PM, Jonathan Billings wrote:
On Wed, Jun 17, 2015 at 03:30:51PM -0400, Tim Dunphy wrote:
No prob! Thanks for all the help! But in searching my system I don't
find
anything of the sort.
[root@monitor2:~] #updatedb [root@monitor2:~] #locate myzabbix.te [root@monitor2:~] #find / -name "myzabbix.*"
I also did search using 'yum provides' to find something similar. But wasn't' able to find anything.
What we're asking for is the contents of the .te file that is created when you run audit2allow.
Go back to the original email and do what you were told
# grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix # semodule -i myzabbix.pp
You did audit2allow -M zabbix
Which created zabbix.te and zabbix.pp, which is bad. It will attempt to replace the system module.
If you use myzappix, it will add the allow rules.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Daniel J Walsh -
Harold Toms -
Jonathan Billings -
Tim Dunphy