RRDCached在CentOS/Rocky8更新後被SELinux擋下

有一台安裝Librenms/CentOS 8的機器,在不小心手滑的狀況下
更新到最新的版本
上面有跑RRDCached,更新重啟後發現被SELinux攔下
搜尋了一下,發現有類似的狀況
要調整rrdcached的SELinux規則如下

cat > rrdcached_librenms.te << EOF
module rrdcached_librenms 1.0;

require {
        type httpd_t;
        type httpd_sys_rw_content_t;
        type rrdcached_t;
        type var_run_t;
        class capability { dac_read_search fsetid };
        class dir { getattr search };
        class file { getattr lock map open read write };
        class sock_file { create setattr unlink write };
        class unix_stream_socket connectto;
        class tcp_socket { listen };
}

#============= httpd_t ==============

allow httpd_t rrdcached_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;

#============= rrdcached_t ==============
allow rrdcached_t httpd_sys_rw_content_t:dir { getattr search };
allow rrdcached_t httpd_sys_rw_content_t:file map;
allow rrdcached_t httpd_sys_rw_content_t:file { getattr lock open read write };
allow rrdcached_t self:capability { dac_read_search fsetid };
allow rrdcached_t var_run_t:sock_file { create setattr unlink };
allow rrdcached_t self:tcp_socket { listen };
EOF

checkmodule -M -m -o rrdcached_librenms.mod rrdcached_librenms.te
semodule_package -o rrdcached_librenms.pp -m rrdcached_librenms.mod
semodule -i rrdcached_librenms.pp

即可修復此狀況

發表迴響