Différences
Ci-dessous, les différences entre deux révisions de la page.
| Les deux révisions précédentes Révision précédente | |||
|
tuto:monitoring:installer_le_serveur_zabbix_sur_centos [04/12/2013 14:39] dani [SELinux] |
tuto:monitoring:installer_le_serveur_zabbix_sur_centos [14/04/2014 18:18] (Version actuelle) dani |
||
|---|---|---|---|
| Ligne 283: | Ligne 283: | ||
| ==== SELinux ==== | ==== SELinux ==== | ||
| - | + | Il faut activer | |
| - | Sous CentOS 6, la politique SELinux par défaut va empêcher Zabbix d' | + | |
| - | + | ||
| - | + | ||
| - | < | + | |
| - | cat <<' | + | |
| - | module zabbix_server 1.0; | + | |
| - | + | ||
| - | require { | + | |
| - | type var_lib_t; | + | |
| - | type ping_t; | + | |
| - | type initrc_t; | + | |
| - | type unlabeled_t; | + | |
| - | class file { read getattr }; | + | |
| - | class sem { unix_read unix_write associate destroy }; | + | |
| - | class shm { unix_read unix_write associate destroy }; | + | |
| - | class tcp_socket { create getattr accept shutdown read }; | + | |
| - | class netlink_route_socket { create bind }; | + | |
| - | } | + | |
| - | + | ||
| - | # | + | |
| - | allow ping_t var_lib_t: | + | |
| - | allow initrc_t unlabeled_t: | + | |
| - | allow initrc_t unlabeled_t: | + | |
| - | allow unlabeled_t self: | + | |
| - | allow unlabeled_t self: | + | |
| - | EOF | + | |
| - | checkmodule -M -m -o zabbix_server.mod zabbix_server.te | + | |
| - | semodule_package -o zabbix_server.pp -m zabbix_server.mod | + | |
| - | cp zabbix_server.pp / | + | |
| - | semodule -i zabbix_server.pp | + | |
| - | </ | + | |
| - | + | ||
| - | <code bash> | + | |
| - | cat <<' | + | |
| - | module zabbix_agent 1.0; | + | |
| - | + | ||
| - | require { | + | |
| - | type unlabeled_t; | + | |
| - | type root_t; | + | |
| - | type proc_t; | + | |
| - | type var_t; | + | |
| - | type var_log_t; | + | |
| - | type device_t; | + | |
| - | type fs_t; | + | |
| - | type sysctl_t; | + | |
| - | class process { fork sigchld setpgid }; | + | |
| - | class netlink_route_socket { getattr write nlmsg_read read }; | + | |
| - | class dir { read search getattr append }; | + | |
| - | class tcp_socket write; | + | |
| - | class fifo_file read; | + | |
| - | class filesystem getattr; | + | |
| - | } | + | |
| - | + | ||
| - | # | + | |
| - | allow unlabeled_t root_t:dir search; | + | |
| - | allow unlabeled_t proc_t:dir search; | + | |
| - | allow unlabeled_t self: | + | |
| - | allow unlabeled_t self: | + | |
| - | allow unlabeled_t self: | + | |
| - | allow unlabeled_t var_t:dir search; | + | |
| - | allow unlabeled_t var_log_t: | + | |
| - | allow unlabeled_t self: | + | |
| - | allow unlabeled_t device_t: | + | |
| - | allow unlabeled_t fs_t: | + | |
| - | allow unlabeled_t sysctl_t: | + | |
| - | EOF | + | |
| - | checkmodule -M -m -o zabbix_agent.mod zabbix_agent.te | + | |
| - | semodule_package -o zabbix_agent.pp -m zabbix_agent.mod | + | |
| - | cp zabbix_agent.pp / | + | |
| - | semodule -i zabbix_agent.pp | + | |
| - | </ | + | |
| - | + | ||
| - | + | ||
| - | Il faut aussi activer | + | |
| < | < | ||
| setsebool -P domain_kernel_load_modules=on | setsebool -P domain_kernel_load_modules=on | ||
| + | setsebool -P zabbix_can_network=on | ||
| </ | </ | ||
| ==== Agent ==== | ==== Agent ==== | ||