ZABBIX Forums  
  #1  
Old 21-09-2017, 13:23
Magnus Magnus is offline
Junior Member
 
Join Date: Jun 2016
Posts: 7
Default Zabbix 3.4 documentation SELinux

Hi!
I have had some problem getting zabbix 3.4 to work on CentOS7 and it seems I´m not alone with zabbix-server.service refusing to start.

In the docs, at 4 - Installation - 4 - Installation from packages - 1 - RHEL/CentOS
There is a section about SELinux in enforced mode and suggested solution is
# setsebool -P httpd_can_connect_zabbix on

Bu this doesn´t seem to work, or isn´t enough...

These are the error messages that I get:
1. Job for zabbix-server.service failed because a configured resource limit was exceeded. See "systemctl status zabbix-server.service" and "journalctl -xe" for details.
2. PID file /run/zabbix/zabbix_server.pid not readable (yet?) after start.

I have tried quite a few suggestions from different forums as well as zabbix bug reports.
For example:
Reinstall OS, reinstall Zabbix, database and everything else.
Restarted services, network, and so on...

# install policycoreutils-python
# cat /var/log/audit/audit.log | grep zab | audit2allow -M zabbix-server
# semodule -i zabbix-server.pp

# setsebool -P httpd_can_network_connect on
# setsebool -P httpd_can_connect_zabbix on
# setsebool -P zabbix_can_network on
Disable the firewall etc...

When I disabled the firewall, the service actually started just to shut down again a second later.

The only thing I have found that solve this for me is to set SElinux to permissive, which still result in error message nr2 above but the service stays active and seem to work in my frontend.

So... my suggestion is to change the documentation to recommend disabling SELinux (set premissive) until a bugfix is in place.

Hope this wasn´t TL/DR
Reply With Quote
  #2  
Old 23-09-2017, 12:56
vso vso is offline
Member
 
Join Date: Aug 2016
Posts: 36
Default

Have you tried troubleshooting ?
For example:
sealert -a /var/log/audit/audit.log
Reply With Quote
  #3  
Old 23-09-2017, 14:14
panicos panicos is offline
Junior Member
 
Join Date: Sep 2017
Posts: 3
Default

Quote:
Originally Posted by vso View Post
Have you tried troubleshooting ?
For example:
sealert -a /var/log/audit/audit.log
i also have the same issue:
Job for zabbix-server.service failed because a configured resource limit was exceeded. See "systemctl status zabbix-server.service" and "journalctl -xe" for details.

[root@NGSRV3 ~]# sudo systemctl status zabbix-server
● zabbix-server.service - Zabbix Server
Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; vendor preset: disabled)
Active: activating (auto-restart) (Result: resources) since Sat 2017-09-23 14:18:33 EEST; 1s ago
Process: 18084 ExecStop=/bin/kill -SIGTERM $MAINPID (code=exited, status=1/FAILURE)
Process: 15745 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS)
Main PID: 18083 (code=exited, status=1/FAILURE)

Sep 23 14:18:33 NGSRV3 systemd[1]: zabbix-server.service never wrote its PID file. Failing.
Sep 23 14:18:33 NGSRV3 systemd[1]: Failed to start Zabbix Server.
Sep 23 14:18:33 NGSRV3 systemd[1]: Unit zabbix-server.service entered failed state.
Sep 23 14:18:33 NGSRV3 systemd[1]: zabbix-server.service failed.

And the command suggested by you does not show anything:

Sep 23 14:18:33 NGSRV3 systemd[1]: zabbix-server.service failed.
[root@NGSRV3 ~]# sealert -a /var/log/audit/audit.log
100% done
found 0 alerts in /var/log/audit/audit.log

What elso to do/check?
Reply With Quote
  #4  
Old 27-09-2017, 20:26
vso vso is offline
Member
 
Join Date: Aug 2016
Posts: 36
Default

There are many possibilities to analyse, this one is good:
https://fedoramagazine.org/troubleshooting-selinux/
Reply With Quote
  #5  
Old 26-10-2017, 16:24
Delik Delik is offline
Junior Member
 
Join Date: Sep 2017
Posts: 10
Default

Try
semanage permissive -a zabbix_agent_t
Reply With Quote
  #6  
Old 09-11-2017, 18:09
Neighbour Neighbour is offline
Junior Member
 
Join Date: Nov 2017
Posts: 2
Default

I'm using this selinux policy file on top of the already mentioned booleans, and that seems to work. Had to update it a bit with new policies when upgrading from 3.2 to 3.4 (name this file `zabbix-server.te`):

Code:
module zabbix-server 1.0;

require {
    type zabbix_t;
    type var_lib_t;
    type fs_t;
    type httpd_t;
    type http_cache_port_t;
    type tmp_t;
    class process setrlimit;
    class file { create append getattr open };
    class filesystem getattr;
    class tcp_socket name_connect;
    class sock_file { create write unlink };
}

#============= zabbix_t ==============
allow zabbix_t self:process setrlimit;
allow zabbix_t var_lib_t:file { create append getattr open };
allow zabbix_t fs_t:filesystem getattr;
allow httpd_t http_cache_port_t:tcp_socket name_connect;
allow zabbix_t tmp_t:sock_file { create write unlink };
use
Code:
checkmodule -M -m -o zabbix-server.mod zabbix-server.te
and
Code:
semodule_package -o zabbix-server.pp -m zabbix-server.mod
to create the .pp-file which you then install with
Code:
semodule -i zabbix-server.pp
You were going well with the
Code:
cat /var/log/audit/audit.log | grep zab | audit2allow -M zabbix-server
-method, however, the problem here is that zabbix requires the right to say, create a tmp_t:sock_file, which is where it fails to start, but once you give it that right (by creating and installing a policy that allows it to), it will try to write to that file (and later on unlink (delete) it).
As such, you would need multiple runs in order to catch them all (or create your own policy-file and update it with whatever zabbix seems to need next).

Note that this policy probably allows a few more things than zabbix minimally needs, but that is because of the things I need zabbix to be able to do on my end. You could try to remove some items and see if it still works, but I'm not going trough that hassle unless I really really have to.

Good luck
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 10:05.