-
Incident report
-
Resolution: Unsupported version
-
Trivial
-
None
-
2.4.8
-
None
-
Tested on CentOS 7 with enforcing SELinux
The zabbix.com provided packages for 2.4 install /etc/zabbix/zabbix_agentd.d/userparameter_mysql.conf by default and with small configuration tweaks it works like a charm when SELinux is permissive or disabled.
When SELinux is enforcing, the agent can't properly execute and connect to the local mysql/mariadb server.
Below is a policy that adds the required permissions for it to function.
module zabbix_mysql 1.0;
require {
type unconfined_t;
type mysqld_var_run_t;
type mysqld_etc_t;
type mysqld_t;
type zabbix_var_lib_t;
type zabbix_agent_t;
class sock_file write;
class unix_stream_socket connectto;
class file { read relabelto open };
class dir relabelto;
}
#============= unconfined_t ==============
allow unconfined_t zabbix_agent_t:dir relabelto;
allow unconfined_t zabbix_agent_t:file relabelto;
#============= zabbix_agent_t ==============
allow zabbix_agent_t mysqld_etc_t:file { read open };
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow zabbix_agent_t mysqld_t:unix_stream_socket connectto;
allow zabbix_agent_t mysqld_var_run_t:sock_file write;
allow zabbix_agent_t zabbix_var_lib_t:file { read open };