CentOS 8 Stream

Hi!

Same issue on Rocky8. Zabbix Agent and Agent2 are installed from the official Zabbix RPM repo, respectively.

Zabbix Agent:

ps -efZ | grep zabbix
system_u:system_r:zabbix_agent_t:s0 zabbix  3408       1  0 May03 ?        00:00:00 /usr/sbin/zabbix_agentd -c /etc/zabbix/zabbix_agentd.conf

Zabbix Agent 2:

ps -efZ | grep -i zabbix
system_u:system_r:unconfined_service_t:s0 zabbix 310467 1  0 13:16 ?       00:00:01 /usr/sbin/zabbix_agent2 -c /etc/zabbix/zabbix_agent2.conf

Agent2 is running unconfined, while the old Agent has it's own SElinux context "zabbix_agent_t". Having Agent2 running in it's own context instead of running unconfined is highly desired!

Any news on this one ?

This is where important on systems running in HIPAA mode

Now there separate packages with default selunux policies available. (they are the same for 5.0 version too)

Regards, Elina

"Now there separate packages with default selunux policies available. (they are the same for 5.0 version too)
Regards, Elina"

Dear Elina!

I have just installed an instance of zabbix-agent2 v5.0.35 using the package from the official RPM repository, but it still runs unconfined.

 ps -efZ | grep zabbix
system_u:system_r:unconfined_service_t:s0 zabbix 3199919 1  0 11:58 ?      00:00:06 /usr/sbin/zabbix_agent2 -c /etc/zabbix/zabbix_agent2.conf

It is the same for zabbix-agent2 v6.0.18:

ps -efZ | grep zabbix
system_u:system_r:unconfined_service_t:s0 zabbix 3208949 1  0 12:34 ?      00:00:00 /usr/sbin/zabbix_agent2 -c /etc/zabbix/zabbix_agent2.conf

Installing zabbix-selinux-policy package for v6.0.18 did not make any difference, as a policy will have little effect on any service that is not properly tagged! Please let me know if something more or else is needed to be done!

Best regards,

Peter

Hello,

This is how I fix this issue, based on this:

https://www.zabbix.com/forum/zabbix-troubleshooting-and-problems/420778-selinux-and-zabbix-server#post435873

I have installed the zabbix-agent2 6.0.19 packages on AlmaLinux.

 Assuming that your zabbix-agent2 is running with the zabbix user:

sudo chown zabbix:root /run/zabbix/
sudo chmod 775 /run/zabbix/

And SELinux is running:

sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

My Zabbix agent2 is running properly.

For your information I also need to open up AlmaLinux Firewall port:

sudo firewall-cmd --zone=public --add-port 10050/tcp --permanent
sudo firewall-cmd --zone=public --list-ports
sudo firewall-cmd --reload

Made an extension to default zabbix_agent_t domain of SE linux to include agent2 in to the same domain.
Its in CIL format, which can be applied without compiling.
https://github.com/zabbix/ansible-collection/blob/main/roles/agent/templates/zabbix_agent_extend.cil.j2
WE have it in official Zabbix Ansible role, which applies mentioned extension by default on a target machine if SE Linux is present.
https://github.com/zabbix/ansible-collection/blob/main/roles/agent/README.md
<edgar.akhmetshin>: Thank you, atocko, but this also should be provided with packages