Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente | |||
tuto:monitoring:installer_le_serveur_zabbix_sur_centos [04/12/2013 14:39] dani [SELinux] |
tuto:monitoring:installer_le_serveur_zabbix_sur_centos [14/04/2014 18:18] (Version actuelle) dani |
||
---|---|---|---|
Ligne 283: | Ligne 283: | ||
==== SELinux ==== | ==== SELinux ==== | ||
- | + | Il faut activer | |
- | Sous CentOS 6, la politique SELinux par défaut va empêcher Zabbix d' | + | |
- | + | ||
- | + | ||
- | < | + | |
- | cat <<' | + | |
- | module zabbix_server 1.0; | + | |
- | + | ||
- | require { | + | |
- | type var_lib_t; | + | |
- | type ping_t; | + | |
- | type initrc_t; | + | |
- | type unlabeled_t; | + | |
- | class file { read getattr }; | + | |
- | class sem { unix_read unix_write associate destroy }; | + | |
- | class shm { unix_read unix_write associate destroy }; | + | |
- | class tcp_socket { create getattr accept shutdown read }; | + | |
- | class netlink_route_socket { create bind }; | + | |
- | } | + | |
- | + | ||
- | # | + | |
- | allow ping_t var_lib_t: | + | |
- | allow initrc_t unlabeled_t: | + | |
- | allow initrc_t unlabeled_t: | + | |
- | allow unlabeled_t self: | + | |
- | allow unlabeled_t self: | + | |
- | EOF | + | |
- | checkmodule -M -m -o zabbix_server.mod zabbix_server.te | + | |
- | semodule_package -o zabbix_server.pp -m zabbix_server.mod | + | |
- | cp zabbix_server.pp / | + | |
- | semodule -i zabbix_server.pp | + | |
- | </ | + | |
- | + | ||
- | <code bash> | + | |
- | cat <<' | + | |
- | module zabbix_agent 1.0; | + | |
- | + | ||
- | require { | + | |
- | type unlabeled_t; | + | |
- | type root_t; | + | |
- | type proc_t; | + | |
- | type var_t; | + | |
- | type var_log_t; | + | |
- | type device_t; | + | |
- | type fs_t; | + | |
- | type sysctl_t; | + | |
- | class process { fork sigchld setpgid }; | + | |
- | class netlink_route_socket { getattr write nlmsg_read read }; | + | |
- | class dir { read search getattr append }; | + | |
- | class tcp_socket write; | + | |
- | class fifo_file read; | + | |
- | class filesystem getattr; | + | |
- | } | + | |
- | + | ||
- | # | + | |
- | allow unlabeled_t root_t:dir search; | + | |
- | allow unlabeled_t proc_t:dir search; | + | |
- | allow unlabeled_t self: | + | |
- | allow unlabeled_t self: | + | |
- | allow unlabeled_t self: | + | |
- | allow unlabeled_t var_t:dir search; | + | |
- | allow unlabeled_t var_log_t: | + | |
- | allow unlabeled_t self: | + | |
- | allow unlabeled_t device_t: | + | |
- | allow unlabeled_t fs_t: | + | |
- | allow unlabeled_t sysctl_t: | + | |
- | EOF | + | |
- | checkmodule -M -m -o zabbix_agent.mod zabbix_agent.te | + | |
- | semodule_package -o zabbix_agent.pp -m zabbix_agent.mod | + | |
- | cp zabbix_agent.pp / | + | |
- | semodule -i zabbix_agent.pp | + | |
- | </ | + | |
- | + | ||
- | + | ||
- | Il faut aussi activer | + | |
< | < | ||
setsebool -P domain_kernel_load_modules=on | setsebool -P domain_kernel_load_modules=on | ||
+ | setsebool -P zabbix_can_network=on | ||
</ | </ | ||
==== Agent ==== | ==== Agent ==== |