Zabbix on Centos/RHEL 6.5 : Fixing SELinux Errors
One of my Openshift Origin servers have lots of these messages in the /var/log/messages :
The errors are somewhat related to ZBX-7537 bug report. Anyway, following the links there takes us to Red Hat BZ 1032691 - [selinux policy] Zabbix agent monitoring access denied. The cure is to create a selinux module fixing these errors, lets call it zabbix-fix. You may call it something else but beware that the module name inside the TE file must match with the TE filename and PP filename.
zabbix-fix.te
Create the file zabbix-fix.te with above contents, compile the module and install it.
After the module was installed, the errors no longer shows in /var/log/messages.
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 4dbe6e60-5c4e-47cb-9b7d-040260fc38e0
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a
The errors are somewhat related to ZBX-7537 bug report. Anyway, following the links there takes us to Red Hat BZ 1032691 - [selinux policy] Zabbix agent monitoring access denied. The cure is to create a selinux module fixing these errors, lets call it zabbix-fix. You may call it something else but beware that the module name inside the TE file must match with the TE filename and PP filename.
zabbix-fix.te
policy_module(zabbix-fix, 1.0) require{ type zabbix_agent_t; type zabbix_t; type ping_t; type zabbix_tmp_t; } allow ping_t zabbix_tmp_t:file read_file_perms; allow ping_t zabbix_t:tcp_socket { read write }; kernel_read_network_state(zabbix_agent_t) domain_read_all_domains_state(zabbix_agent_t) dev_read_sysfs(zabbix_agent_t) corenet_tcp_connect_all_ports(zabbix_agent_t)
Create the file zabbix-fix.te with above contents, compile the module and install it.
make -f /usr/share/selinux/devel/Makefile zabbix-fix.pp semodule -i zabbix-fix.pp
Summary
We need to install a custom SELinux policy module to enable Zabbix on RHEL/CentOS 6.5 servers.
Comments