Collect data in ITE Work with SELinux
You may encounter these issues when you try to deploy collectd on a host that's running SELinux:
- collectd's LogFile plug-in doesn't have persmissions to write to its log.
- collectd can't establish a network connection and you see the
CURL failed with status 7
error.
If you're running SELinux and want to deploy collectd, follow one of the following options so you don't encounter any failures.
Option 1:
Run the collectd process type in permissive mode:
semanage permissive -a collectd_t
SELinux won't deny access to collectd anymore, but you may still see the SELinux denial message.
Option 2:
- Fix the blocked network connection for collectd:
setsebool -P collectd_tcp_network_connect 1
- Fix the permission denied for the LogFile plug-in. collectd's log is also available from syslog, and shouldn't require any changes to access from there. Use
/var/log/collectd.log
incollectd.conf
for the LogFile plug-in. - Create the
mypolicy.te
file with this content:module mypolicy 1.0; require { type var_log_t; type collectd_t; class dir { add_name read write }; class file { create open write }; } #============= collectd_t ============== allow collectd_t var_log_t:dir { add_name write }; allow collectd_t var_log_t:file open; allow collectd_t var_log_t:file create;
- Compile
mypolicy.te
:$ checkmodule -M -m -o mypolicy.mod mypolicy.te $ semodule_package -o mypolicy.pp -m mypolicy.mod
- Apply the policy package
mypolicy.pp
to SELinux:$ semodule -i mypolicy.pp
collectd package sources, install commands, and locations for ITE Work | Send collectd data to a local universal forwarder in ITE Work |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!