Loading...

Type: Incident report
Resolution: Duplicate
Priority: Critical
Fix Version/s: None
Affects Version/s: 3.4.12
Component/s: Installation (I)
Labels:
None
Environment:

Hide
# hostnamectl
   Static hostname: srvzab.test
         Icon name: computer-vm
           Chassis: vm
        Machine ID: cbf08f1888f34dd2b17d8e5746d990a2
           Boot ID: 4a9d81a316f24c8ab6b3db39c357121b
    Virtualization: kvm
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-862.9.1.el7.x86_64
      Architecture: x86-64
# cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)

# zabbix_server --version
zabbix_server (Zabbix) 3.4.12
Revision 83229 30 July 2018, compilation time: Jul 30 2018 11:46:20

Copyright (C) 2018 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.

Show
# hostnamectl    Static hostname: srvzab.test          Icon name: computer-vm            Chassis: vm         Machine ID: cbf08f1888f34dd2b17d8e5746d990a2            Boot ID: 4a9d81a316f24c8ab6b3db39c357121b     Virtualization: kvm   Operating System: CentOS Linux 7 (Core)        CPE OS Name: cpe:/o:centos:centos:7             Kernel: Linux 3.10.0-862.9.1.el7.x86_64       Architecture: x86-64 # cat /etc/centos-release CentOS Linux release 7.5.1804 (Core) # zabbix_server --version zabbix_server (Zabbix) 3.4.12 Revision 83229 30 July 2018, compilation time: Jul 30 2018 11:46:20 Copyright (C) 2018 Zabbix SIA License GPLv2+: GNU GPL version 2 or later < http://gnu.org/licenses/gpl.html >. This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.

Steps to reproduce:

Clean installation according to manual
on step -
service zabbix-agent startreceiving error in /var/log/messages
(installed
$ sudo yum install setroubleshoot setroubleshoot-server
for diagnose and fix SELINUX issues)

setroubleshoot: SELinux is preventing /usr/sbin/zabbix_server_mysql from unlink access on the sock_file zabbix_server_preprocessing.sock. For complete SELinux messages run: sealert -l a2affa37-6f5e-4e6d-801f-5ed54d72b50d
Aug 7 14:03:27 srvzab python: SELinux is preventing /usr/sbin/zabbix_server_mysql from unlink access on the sock_file zabbix_server_preprocessing.sock.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that zabbix_server_mysql should be allowed unlink access on the zabbix_server_preprocessing.sock sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'zabbix_server' --raw | audit2allow -M my-zabbixserver#012# semodule -i my-zabbixserver.pp#012

Fixed by

# ausearch -c 'zabbix_server' --raw | audit2allow -M my-zabbixserver
# semodule -i my-zabbixserver.pp
# service zabbix-server start
# service zabbix-server status
  Redirecting to /bin/systemctl status zabbix-server.service
● zabbix-server.service - Zabbix Server
Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2018-08-07 14:37:05 UTC; 1h 29min ago
Process: 920 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS)
Main PID: 955 (zabbix_server)
CGroup: /system.slice/zabbix-server.service
├─ 955 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf
├─1474 /usr/sbin/zabbix_server: configuration syncer [synced configuration in 0.007480 sec, idle 60 sec]
├─1475 /usr/sbin/zabbix_server: alerter #1 started
├─1476 /usr/sbin/zabbix_server: alerter #2 started
├─1477 /usr/sbin/zabbix_server: alerter #3 started
├─1478 /usr/sbin/zabbix_server: housekeeper [deleted 0 hist/trends, 0 items/triggers, 0 events, 0 sessions, 0 alarms, 0 audit items in 0.022023 sec, idle for 1 hour(s)]
├─1479 /usr/sbin/zabbix_server: timer #1 [processed 0 triggers, 0 events in 0.000010 sec, 0 maintenances in 0.000000 sec, idle 30 sec]
├─1480 /usr/sbin/zabbix_server: http poller #1 [got 0 values in 0.000463 sec, idle 5 sec]
├─1481 /usr/sbin/zabbix_server: discoverer #1 [processed 0 rules in 0.000515 sec, idle 60 sec]
├─1482 /usr/sbin/zabbix_server: history syncer #1 [synced 0 items in 0.000001 sec, idle 1 sec]
├─1483 /usr/sbin/zabbix_server: history syncer #2 [synced 0 items in 0.000001 sec, idle 1 sec]
├─1484 /usr/sbin/zabbix_server: history syncer #3 [synced 0 items in 0.000001 sec, idle 1 sec]
├─1485 /usr/sbin/zabbix_server: history syncer #4 [synced 0 items in 0.000001 sec, idle 1 sec]
├─1486 /usr/sbin/zabbix_server: escalator #1 [processed 0 escalations in 0.001016 sec, idle 3 sec]
├─1487 /usr/sbin/zabbix_server: proxy poller #1 [exchanged data with 0 proxies in 0.000002 sec, idle 5 sec]
├─1488 /usr/sbin/zabbix_server: self-monitoring [processed data in 0.000010 sec, idle 1 sec]
├─1489 /usr/sbin/zabbix_server: task manager [processed 0 task(s) in 0.000464 sec, idle 5 sec]
├─1490 /usr/sbin/zabbix_server: poller #1 [got 0 values in 0.000003 sec, idle 5 sec]
├─1491 /usr/sbin/zabbix_server: poller #2 [got 0 values in 0.000003 sec, idle 5 sec]
├─1492 /usr/sbin/zabbix_server: poller #3 [got 0 values in 0.000003 sec, idle 5 sec]
├─1493 /usr/sbin/zabbix_server: poller #4 [got 0 values in 0.000003 sec, idle 5 sec]
├─1494 /usr/sbin/zabbix_server: poller #5 [got 0 values in 0.000003 sec, idle 5 sec]
├─1495 /usr/sbin/zabbix_server: unreachable poller #1 [got 0 values in 0.000003 sec, idle 5 sec]
├─1496 /usr/sbin/zabbix_server: trapper #1 [processed data in 0.000000 sec, waiting for connection]
├─1497 /usr/sbin/zabbix_server: trapper #2 [processed data in 0.000000 sec, waiting for connection]
├─1498 /usr/sbin/zabbix_server: trapper #3 [processed data in 0.000000 sec, waiting for connection]
├─1499 /usr/sbin/zabbix_server: trapper #4 [processed data in 0.000000 sec, waiting for connection]
├─1500 /usr/sbin/zabbix_server: trapper #5 [processed data in 0.000259 sec, waiting for connection]
├─1501 /usr/sbin/zabbix_server: icmp pinger #1 [got 0 values in 0.000004 sec, idle 5 sec]
├─1502 /usr/sbin/zabbix_server: alert manager #1 [sent 0, failed 0 alerts, idle 5.013533 sec during 5.013534 sec]
├─1503 /usr/sbin/zabbix_server: preprocessing manager #1 [queued 0, processed 0 values, idle 5.015466 sec during 5.015469 sec]
├─1504 /usr/sbin/zabbix_server: preprocessing worker #1 started
├─1505 /usr/sbin/zabbix_server: preprocessing worker #2 started
└─1506 /usr/sbin/zabbix_server: preprocessing worker #3 started

Aug 07 14:37:04 srvzab.test systemd[1]: Starting Zabbix Server...
Aug 07 14:37:05 srvzab.test systemd[1]: PID file /run/zabbix/zabbix_server.pid not readable (yet?) after start.
Aug 07 14:37:05 srvzab.test systemd[1]: Started Zabbix Server.

file - my-zabbixserver.te

module my-zabbixserver 1.0;

require {
type zabbix_var_run_t;
type zabbix_t;
class sock_file { create unlink };
class unix_stream_socket connectto;
}

#============= zabbix_t ==============

#!!!! The file '/run/zabbix/zabbix_server_preprocessing.sock' is mislabeled on your system. 
#!!!! Fix with $ restorecon -R -v /run/zabbix/zabbix_server_preprocessing.sock
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow zabbix_t self:unix_stream_socket connectto;

#!!!! This avc is allowed in the current policy
allow zabbix_t zabbix_var_run_t:sock_file create;
allow zabbix_t zabbix_var_run_t:sock_file unlink;

Help avoid this additional steps

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

messages.zip
161 kB
2018 Aug 07 19:25
my-zabbixserver.pp
1 kB
2018 Aug 07 19:15
my-zabbixserver.te
0.6 kB
2018 Aug 07 19:15
zabbix_server.log.zip
59 kB
2018 Aug 07 19:25

is duplicated by

ZBX-14626 selinux issue on zabbix-server RHEL 7.5

Closed

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates