-
Problem report
-
Resolution: Duplicate
-
Trivial
-
5.0.0, 5.2.0alpha1
-
Sprint 64 (May 2020), Sprint 65 (Jun 2020), Sprint 66 (Jul 2020), Sprint 67 (Aug 2020), Sprint 68 (Sep 2020), Sprint 69 (Oct 2020), Sprint 70 (Nov 2020), Sprint 71 (Dec 2020), Sprint 72 (Jan 2021), Sprint 73 (Feb 2021), Sprint 74 (Mar 2021), Sprint 75 (Apr 2021), Sprint 76 (May 2021), Sprint 77 (Jun 2021), Sprint 78 (Jul 2021), Sprint 79 (Aug 2021)
Zabbix server service does not start with SELinux enabled.
Unable to access socket files in /var/run/zabbix
DAC permissions are correct.
This should to be investigated further and documented.
Fix proposed by mchudinov
module zabbix_server_sock 1.0;require {
type zabbix_var_run_t;
type zabbix_t;
class sock_file create;
}
#============= zabbix_t ==============
allow zabbix_t zabbix_var_run_t:sock_file create;
module zabbix_server_sock2 1.0;require {
type zabbix_var_run_t;
type zabbix_t;
class sock_file { create unlink };
class unix_stream_socket connectto;
}
#============= zabbix_t ==============
#!!!! The file '/run/zabbix/zabbix_server_lld.sock' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/zabbix/zabbix_server_lld.sock
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow zabbix_t self:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy
allow zabbix_t zabbix_var_run_t:sock_file create;
allow zabbix_t zabbix_var_run_t:sock_file unlink;
module zabbix_server_sock3 1.0;
require {
type zabbix_var_run_t;
type zabbix_t;
class sock_file { create unlink };
class unix_stream_socket connectto;
}
#============= zabbix_t ==============
#!!!! This avc is allowed in the current policy
allow zabbix_t self:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy
allow zabbix_t zabbix_var_run_t:sock_file { create unlink };