[ZBX-14626] selinux issue on zabbix-server RHEL 7.5 Created: 2018 Jul 20  Updated: 2018 Sep 25  Resolved: 2018 Sep 25

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Incident report Priority: Trivial
Reporter: Cyril Lopez Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates ZBX-14695 zabbix 3.4.12 can't start Closed

 Comments   
Comment by Cyril Lopez [ 2018 Jul 20 ]

Similar than ZBX-12567 but on fresh install following https://www.zabbix.com/documentation/4.0/manual/installation/install_from_packages/rhel_centos on RHEL 7.5 and zabbix-server-mysql-4.0.0-1.1alpha8.el7.x86_64

The selinux rule missing should be embedded into the RPM:

allow zabbix_t zabbix_var_run_t:sock_file create; 

 

LOG:

tail /var/log/zabbix/zabbix_server.log
12779:20180720:124456.263 server #17 started poller #1
12785:20180720:124456.268 server #22 started unreachable poller #1
12780:20180720:124456.274 server #18 started poller #2
12787:20180720:124456.279 server #23 started trapper #1
12788:20180720:124456.282 server #24 started trapper #2
12790:20180720:124456.285 server #26 started trapper #4
12782:20180720:124456.285 server #20 started poller #4
12794:20180720:124456.287 server #30 started preprocessing manager #1
12794:20180720:124456.287 cannot start preprocessing service: Cannot bind socket to "/var/run/zabbix/zabbix_server_preprocessing.sock": [13] Permission denied.
12752:20180720:124456.296 One child process died (PID:12794,exitcode/signal:1). Exiting ...tail /var/log/audit/audit.log -f | grep denied
type=AVC msg=audit(1532105096.286:386): avc: denied { create } for pid=12794 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file

ls -lZ /var/run/zabbix/
rw-rw-r-. zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 zabbix_agentd.pid
rw-rw-r-. zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 zabbix_server.pid

Comment by Cyril Lopez [ 2018 Jul 20 ]

The workaround from ZBX-12567 is not working

tail /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1532107242.735:424): avc: denied { create } for pid=13396 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=s
ystem_u:object_r:zabbix_var_run_t:s0 tclass=sock_file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1532107253.017:429): avc: denied { create } for pid=13454 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=s
ystem_u:object_r:zabbix_var_run_t:s0 tclass=sock_file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

 

tail /var/log/audit/audit.log | audit2allow -M zabbix

                                        • IMPORTANT ***********************
                                          To make this policy package active, execute:

semodule -i zabbix.pp

[root@zabbix ~]# semodule -i zabbix.pp
libsemanage.semanage_direct_install_info: Overriding zabbix module at lower priority 100 with module at priority 400.
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/zabbix/cil:1
semodule: Failed!

Comment by Aigars Kadikis [ 2018 Jul 30 ]

Hello, Cyril!

Is this issue still relevant? You may try:

yum -y install policycoreutils-python
cd
curl https://support.zabbix.com/secure/attachment/53320/zabbix_server_add.te > zabbix_server_add.te
checkmodule -M -m -o zabbix_server_add.mod zabbix_server_add.te
semodule_package -m zabbix_server_add.mod -o zabbix_server_add.pp
semodule -i zabbix_server_add.pp

If the SELinux still blocks the functionality please search carefully what is the cause:

grep denied /var/log/audit/audit.log

Also it is very important what policy name you choose. After you found your "denied" element please pick the names similar to:

grep "denied.*mysqladmin.*zabbix_agent_t" /var/log/audit/audit.log | audit2allow -M mysqladmin_zabbix_agent_t
grep "denied.*mysql.*zabbix_agent_t" /var/log/audit/audit.log | audit2allow -M mysql_zabbix_agent_t
grep "denied.*zabbix_server.*zabbix_script_t" /var/log/audit/audit.log | audit2allow -M zabbix_server_zabbix_script_t
grep "denied.*zabbix_agentd.*zabbix_agent_t" /var/log/audit/audit.log | audit2allow -M zabbix_agentd_zabbix_agent_t

Regards,

Comment by Aigars Kadikis [ 2018 Jul 30 ]

It feels like with 7.5 I need to add:

grep "comm.*zabbix_server.*zabbix_t" /var/log/audit/audit.log | audit2allow -M comm_zabbix_server_zabbix_t
semodule -i comm_zabbix_server_zabbix_t.pp

and ZBX-12567 do not help.

Regards,

Comment by Cyril Lopez [ 2018 Aug 08 ]

Hello Aigars

Your last comment works.

 

[root@zabbix ~]# cat comm_zabbix_server_zabbix_t.te

module comm_zabbix_server_zabbix_t 1.0;

require {
type zabbix_var_run_t;
type zabbix_t;
class sock_file { create unlink };
class unix_stream_socket connectto;
}

#============= zabbix_t ==============

#!!!! The file '/run/zabbix/zabbix_server_preprocessing.sock' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/zabbix/zabbix_server_preprocessing.sock
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow zabbix_t self:unix_stream_socket connectto;
allow zabbix_t zabbix_var_run_t:sock_file { create unlink };

 

[root@zabbix ~]# ls -lZ /run/zabbix/zabbix_server_preprocessing.sock
srwx------. zabbix zabbix system_u:object_r:zabbix_var_run_t:s0 /run/zabbix/zabbix_server_preprocessing.sock

 

Thanks

Generated at Fri Jun 06 12:05:19 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.