zabbix-selinux-policy package missing %posttrans relabeling - SELinux contexts not applied after installation

XMLWordPrintable

    • Type: Patch request
    • Resolution: Unresolved
    • Priority: Trivial
    • None
    • Affects Version/s: None
    • Component/s: None
    • None

      Summary
      The zabbix-selinux-policy package installs the SELinux policy module but does not run restorecon to apply file contexts to existing directories. This causes Zabbix services to fail on SELinux-enforcing systems with "permission denied" errors when accessing /var/lib/zabbix, /var/log/zabbix, or /run/zabbix.
      Environment
      OS: AlmaLinux 10 (also affects RHEL 9/10, Rocky, Alma)
      Package: zabbix-selinux-policy-7.4.5-release2.el10.x86_64
      SELinux: Enforcing
      Steps to Reproduce
      Fresh install AlmaLinux 10 with SELinux enforcing
      Install Zabbix repository and packages:
      dnf install -y zabbix-proxy-sqlite3 zabbix-selinux-policy
      Start Zabbix proxy:
      systemctl start zabbix-proxy
      Expected Result
      Zabbix proxy starts successfully. Directory /var/lib/zabbix has SELinux context zabbix_var_lib_t.
      Actual Result
      Zabbix proxy fails to start with error:
      cannot open database file "/var/lib/zabbix/zabbix_proxy.db": [2] No such file or directory
      [Z3001] connection to database '/var/lib/zabbix/zabbix_proxy.db' failed: [0] unable to open database file
      SELinux audit log shows:
      type=AVC msg=audit(...): avc: denied

      { create }

      for pid=1802 comm="zabbix_proxy"
      name="zabbix_proxy.db" scontext=system_u:system_r:zabbix_t:s0
      tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
      Directory has incorrect context:

      1. ls -laZ /var/lib/zabbix/
        drwxr-xr-x. 2 zabbix zabbix system_u:object_r:var_lib_t:s0 ...
        Should be zabbix_var_lib_t, not var_lib_t.
        Root Cause Analysis
        The zabbix-selinux-policy package postinstall script only loads the policy module:
      2. rpm -q --scripts zabbix-selinux-policy
        postinstall scriptlet (using /bin/sh):
        semodule -i /usr/share/selinux/packages/zabbix/zabbix_policy.pp
        The policy correctly defines file contexts:
      3. semanage fcontext -l | grep zabbix
        /var/lib/zabbix(/.*)? all files system_u:object_r:zabbix_var_lib_t:s0
        However, the package never runs restorecon to apply these contexts to existing directories.
        Comparison with Fedora Package
        Fedora's zabbix-selinux package (spec file) correctly uses SELinux RPM macros:
        %pre selinux
        %selinux_relabel_pre -s % {selinuxtype}

        %post selinux
        %selinux_modules_install -s %{selinuxtype}

        %{_datadir}/selinux/packages/%

        {selinuxtype}/%{name}.pp.bz2

        %posttrans selinux
        %selinux_relabel_post -s %{selinuxtype}

        The %selinux_relabel_post macro runs restorecon on affected paths after the transaction completes.
        Suggested Fix
        Update zabbix-selinux-policy.spec to use standard SELinux RPM macros, or add explicit restorecon calls:
        %post
        semodule -i /usr/share/selinux/packages/zabbix/zabbix_policy.pp
        restorecon -R /var/lib/zabbix /var/log/zabbix /run/zabbix 2>/dev/null || :
        Workaround
        Users must manually run after installation:
        restorecon -Rv /var/lib/zabbix /var/log/zabbix /run/zabbix
        systemctl restart zabbix-proxy # or zabbix-server

            Assignee:
            Zabbix Support Team
            Reporter:
            Stanislav
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: