-
Type:
Problem report
-
Resolution: Unresolved
-
Priority:
Trivial
-
None
-
Affects Version/s: 7.4.10
-
Component/s: Agent2 (G)
-
None
-
Environment:Fedora Linux 43
Steps to reproduce:
- You have a system (possibily a Zabbix Server) where you want the agent to run as a different user, as such you configure systemd unit file and zabbix agent 2 configuration file as follows:
#PidFile=/run/zabbix/zabbix_agent2.pid
PidFile=/run/zabbix_agent/zabbix_agent2.pid
#LogFile=/var/log/zabbix/zabbix_agent2.log
LogFile=/var/log/zabbix_agent/zabbix_agent2.log
#PluginSocket=/run/zabbix/agent.plugin.sock
PluginSocket=/run/zabbix_agent/agent.plugin.sock
#ControlSocket=/run/zabbix/agent.sock
ControlSocket=/run/zabbix_agent/agent.sock
/etc/systemd/system/zabbix-agent2.service.d/override.conf
[Service]
User=zabbix-agent2
Group=zabbix-agent2
PIDFile=/run/zabbix_agent/zabbix_agent2.pid
RuntimeDirectory=zabbix_agent
LogsDirectory=zabbix_agent
- It works up until 7.4.9, after updating to 7.4.10 SELinux label is incorrectly applied to the socket upon agent startup (see results) and communication with local Zabbix Server is not possible anymore.
- Have to put SELinux in permissive mode or create a local policy to allow communication.
May 19 06:16:54 itmil01pzbs01 audit[3428]: AVC avc: denied { create } for pid=3428 comm="zabbix_agent2" name="agent.sock" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 - On a vanilla installation where paths are not modified the SELinux label to the socket is applied correctly.
Result:
The socket in /var/run/zabbix_agent is created with incorrect label.
$ ls -lahZ /var/run/zabbix*
/var/run/zabbix:
total 4.0K
drwxr-xr-x. 2 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 260 May 19 06:14 .
drwxr-xr-x. 47 root root system_u:object_r:var_run_t:s0 1.3K May 19 06:17 ..
srwx------. 1 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 0 May 19 06:14 zabbix_server_alerter.sock
srwx------. 1 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 0 May 19 06:14 zabbix_server_availability.sock
srwx------. 1 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 0 May 19 06:14 zabbix_server_config.sock
srwx------. 1 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 0 May 19 06:14 zabbix_server_discoverer.sock
srwx------. 1 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 0 May 19 06:14 zabbix_server_haservice.sock
srwx------. 1 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 0 May 19 06:14 zabbix_server_lld.sock
srwx------. 1 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 0 May 19 06:14 zabbix_server_pgservice.sock
rw-r----. 1 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 3 May 19 06:14 zabbix_server.pid
srwx------. 1 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 0 May 19 06:14 zabbix_server_preprocessing.sock
srwx------. 1 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 0 May 19 06:14 zabbix_server_rtc.sock
srwx------. 1 zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 0 May 19 06:14 zabbix_server_service.sock
/var/run/zabbix_agent:
total 4.0K
drwxr-xr-x. 2 zabbix-agent2 zabbix-agent2 system_u:object_r:var_run_t:s0 80 May 19 06:17 .
drwxr-xr-x. 47 root root system_u:object_r:var_run_t:s0 1.3K May 19 06:17 ..
srwx------. 1 zabbix-agent2 zabbix-agent2 system_u:object_r:var_run_t:s0 0 May 19 06:17 agent.sock
rw-r----. 1 zabbix-agent2 zabbix-agent2 system_u:object_r:zabbix_var_run_t:s0 4 May 19 06:17 zabbix_agent2.pid
Expected:
The label zabbix_var_run is applied to the socket file.