Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-18764

Wrong SocketDir path resolution when symlink, results in SELinux error

    XMLWordPrintable

Details

    • Problem report
    • Status: Open
    • Trivial
    • Resolution: Unresolved
    • 5.2.2
    • None
    • Server (S)
    • None

    Description

      This seems not to be one of the common (and custom) SELinux problems, but one with the Zabbix internal path usage.

      Steps to reproduce:

      Install Zabbix 5.2.2 from Zabbix repository on RHEL 8, no custom configuration except for database credentials.

      Result:
      Using Zabbix 5.2.2 from the Zabbix RHEL Repository and this configuration:

      SocketDir=/var/run/zabbix

      together with this common and default symlink (i.e. Debian, RHEL):

      1. ls -la /var/run
        lrwxrwxrwx. 1 root root 6 Nov 6 16:49 /var/run -> ../run

      will result in these three SELinux errors after starting the server daemon:

      setroubleshoot[xxx]: failed to retrieve rpm info for /run/zabbix/zabbix_server_preprocessing.sock
      setroubleshoot[xxx]: SELinux is preventing /usr/sbin/zabbix_server_mysql from connectto access on the unix_stream_socket /run/zabbix/zabbix_server_preprocessing.sock.

      [...]

      setroubleshoot[xxx]: failed to retrieve rpm info for /run/zabbix/zabbix_server_alerter.sock
      setroubleshoot[xxx]: SELinux is preventing /usr/sbin/zabbix_server_mysql from connectto access on the unix_stream_socket /run/zabbix/zabbix_server_alerter.sock.

      [...]

      setroubleshoot[xxx]: failed to retrieve rpm info for /run/zabbix/zabbix_server_lld.sock
      setroubleshoot[xxx]: SELinux is preventing /usr/sbin/zabbix_server_mysql from connectto access on the unix_stream_socket /run/zabbix/zabbix_server_lld.sock.

      By default SELinux only allows /var/run, but not /run:

      1. semanage fcontext -l | grep zabbix
        /etc/rc\.d/init\.d/(zabbix|zabbix-server) regular file system_u:object_r:zabbix_initrc_exec_t:s0
        /etc/rc\.d/init\.d/zabbix-agentd regular file system_u:object_r:zabbix_agent_initrc_exec_t:s0
        /etc/zabbix/web(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
        /usr/bin/zabbix_agentd regular file system_u:object_r:zabbix_agent_exec_t:s0
        /usr/bin/zabbix_server regular file system_u:object_r:zabbix_exec_t:s0
        /usr/lib/zabbix/externalscripts(/.*)? all files system_u:object_r:zabbix_script_exec_t:s0
        /usr/sbin/zabbix_agentd regular file system_u:object_r:zabbix_agent_exec_t:s0
        /usr/sbin/zabbix_proxy regular file system_u:object_r:zabbix_exec_t:s0
        /usr/sbin/zabbix_proxy_mysql regular file system_u:object_r:zabbix_exec_t:s0
        /usr/sbin/zabbix_proxy_pgsql regular file system_u:object_r:zabbix_exec_t:s0
        /usr/sbin/zabbix_proxy_sqlite3 regular file system_u:object_r:zabbix_exec_t:s0
        /usr/sbin/zabbix_server regular file system_u:object_r:zabbix_exec_t:s0
        /usr/sbin/zabbix_server_mysql regular file system_u:object_r:zabbix_exec_t:s0
        /usr/sbin/zabbix_server_pgsql regular file system_u:object_r:zabbix_exec_t:s0
        /usr/sbin/zabbix_server_sqlite3 regular file system_u:object_r:zabbix_exec_t:s0
        /var/lib/zabbix(/.*)? all files system_u:object_r:zabbix_var_lib_t:s0
        /var/lib/zabbix/externalscripts(/.*)? all files system_u:object_r:zabbix_script_exec_t:s0
        /var/lib/zabbixsrv(/.*)? all files system_u:object_r:zabbix_var_lib_t:s0
        /var/log/zabbix.* all files system_u:object_r:zabbix_log_t:s0
        /var/run/zabbix(/.*)? all files system_u:object_r:zabbix_var_run_t:s0

      That's why I use the default SocketDir supplied with your packages and I would expect that this variable is used for those three sockets, too. But it seems that the variable isn't used for this purpose or that it uses the already resolved path instead (following the symlink and then using the real destination).

      1. yum list installed |grep zabbix
        zabbix-agent.x86_64 5.2.2-1.el8 @zabbix
        zabbix-nginx-conf.noarch 5.2.2-1.el8 @zabbix
        zabbix-release.noarch 5.2-1.el8 @System
        zabbix-server-mysql.x86_64 5.2.2-1.el8 @zabbix
        zabbix-web.noarch 5.2.2-1.el8 @zabbix
        zabbix-web-deps.noarch 5.2.2-1.el8 @zabbix
        zabbix-web-mysql.noarch 5.2.2-1.el8 @zabbix

      Expected:
      Zabbix should respect SocketDir and use this path even if it is a symlink.

      Attachments

        Activity

          People

            rvaliahmetovs Renats Valiahmetovs (Inactive)
            Ansgar Hegerfeld Ansgar Hegerfeld
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: