[ZBX-7537] zabbix agent can't get proc.num[anyproc] when selinux is in enforcing mode ScientificLinux 6.3 Created: 2013 Dec 13  Updated: 2017 May 30  Resolved: 2013 Dec 13

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: 2.0.10
Fix Version/s: None

Type: Incident report Priority: Critical
Reporter: Michal Paal Assignee: Unassigned
Resolution: Won't fix Votes: 1
Labels: selinux
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

ScientificLinux 6.3


Issue Links:
Duplicate

 Description   

After autoupdate from your repository, zabbix agent stopped collectiong proc.cum items on machines with enforcing selinux. Previously we had 2.0.9 and it was working fine. No changes were made to machine since 2.0.9

Line from audit.log (we had many of these in logs with variating PID)

type=SYSCALL msg=audit(1386919882.361:4431138): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2fcb5b90 a1=7fff2fcb42c0 a2=7fff2fcb42c0 a3=0 items=0 ppid=21023 pid=21028 auid=0 uid=498 gid=496 euid=498 suid=498 fsuid=498 egid=496 sgid
=496 fsgid=496 tty=(none) ses=77988 comm="zabbix_agentd" exe="/usr/sbin/zabbix_agentd" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
type=AVC msg=audit(1386919882.361:4431139): avc: denied

{ getattr }

for pid=21028 comm="zabbix_agentd" path="/proc/52/cmdline" dev=proc ino=112758410 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 t
class=file



 Comments   
Comment by Tats Shibata [ 2013 Dec 13 ]

2.2.1 has the same issue. audit2allow doesn't help it because there are various tcontexts in /proc.

Comment by richlv [ 2013 Dec 13 ]

quoting volter from https://www.zabbix.com/forum/showthread.php?t=43550 :

This has nothing to do with the Zabbix update. Check your selinux-policy version:

rpm -q selinux-policy

If that results in 3.7.19-231, you suffer from a policy mistake that was introduced with the 6.5 update:

https://bugzilla.redhat.com/show_bug.cgi?id=1039851
https://bugzilla.redhat.com/show_bug.cgi?id=1032691

Compile and put the suggested policy modules to action as long as it's not fixed upstream.

Comment by Tom Powers [ 2013 Dec 20 ]

And Volker over at Bugzilla is now saying this:
Volker Fröhlich 2013-12-16 15:11:29 EST
Well, they are using a pseudo-placeholder there, but it's commented out:

  1. ExternalScripts=${datadir}/zabbix/externalscripts

However, server and proxy use a hardcoded

CONFIG_EXTERNALSCRIPTS = zbx_strdup(CONFIG_EXTERNALSCRIPTS, DATADIR "/zabbix/externalscripts");

The Fedora/EPEL packages have the same hard-coded values, but override them in the configuration files. As you already concluded, this is not a SELinux issue.

(This is on https://bugzilla.redhat.com/show_bug.cgi?id=1032691, the other has no discussion)

Can we get the two teams to work together and fix this?
It's very annoying.

Thanks
TPP

Generated at Wed Jul 09 13:15:30 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.