Service Operations Insight

 View Only
  • 1.  metricbeat and SElinux

    Posted Jan 29, 2020 10:28 AM
    Hi all,

    after I deployed self-monitoring in my cluster, selinux is flooding my logs with messages like

    SELinux is preventing /usr/bin/metricbeat from search access on directory 1

    and similarly for all other directories in the /proc filesystem

    and also

    SELinux is preventing /usr/bin/metricbeat from connectto access on the unix_stream_socket /run/docker.sock

    It is not enough to just change the acl on /var/run/docker.sock it seems. What is the best way to solve this?

    thanks
    Olav


  • 2.  RE: metricbeat and SElinux

    Broadcom Employee
    Posted Jan 30, 2020 03:03 AM
    Hi Olav, can you change the security context of the those folders?
    chcon -Rt svirt_sandbox_file_t <folderpath>
    Let us know
    Nestor


  • 3.  RE: metricbeat and SElinux

    Posted Jan 30, 2020 03:41 AM
    Hi Nestor, no I can't. It replies chcon: failed to change context of ... Operation not supported.

    Olav


  • 4.  RE: metricbeat and SElinux

    Posted Jan 30, 2020 03:58 AM
    Hi Nestor, wouldn't it be better to run metricbeat in privileged mode rather than changing file contexts in the /proc filesystem?

    Olav


  • 5.  RE: metricbeat and SElinux

    Posted Feb 03, 2020 03:24 AM
    Am I the only one who sees this? I am running SELinux in enforcing mode, type targeted

    Regards
    Olav


  • 6.  RE: metricbeat and SElinux

    Broadcom Employee
    Posted Feb 04, 2020 01:08 AM
    Hi Olav,

    I feel the topic would be better to submit "discuss.elastic.co" community.
    I can see some similar discussion in there.

    Best Regards,
    Naruhiro


  • 7.  RE: metricbeat and SElinux

    Posted Feb 04, 2020 05:38 AM
    Hi Naruhiro,

    well, if this had not been related to DOI, I would have. But since this is the metricbeat pod deployed from the doi_metricbeat image, I thought this was the right forum. Especially since I wanted to know of the experience other users of Broadcoms doi_metricbeat image has, and not the regular image.

    But perhaps the lack of response is because I am the only one who has deployed self-monitoring on an on-premise solution with SELinux in enforcing mode?

    It is my understanding the the metricbeat container needs to run in privileged mode. I question whether doi_metricbeat does that, and I am surprised that noone from Broadcom has responded!

    Best regards
    Olav


  • 8.  RE: metricbeat and SElinux
    Best Answer

    Broadcom Employee
    Posted Feb 04, 2020 08:33 PM
    Hi Olav,

    Okay, then you can open a support ticket.
    And I found similar case resolved by following.
    # grep metricbeat /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp

    Thanks, Naruhiro


  • 9.  RE: metricbeat and SElinux

    Posted Feb 05, 2020 07:34 AM
    Hi Naruhiro,

    I removed self-monitoring to get rid of the problem. I am aware of the option to generate a local policy module, but I see that as a last resort, and a work-around. It would be far better if you could fix doi_metricbeat.

    thanks
    Olav