Ad Widget

**ingus.vilnis** · 17-10-2018, 09:40

Hi,

SELinux is generating lots of messages in /var/log/audit/audit.log file.

The idea is to look for "denied" messages and make them allowed.

For this there are some handy command line tools.

Code:

# yum install policycoreutils-python

Now you can generate a custom SELinux policy file for Zabbix, e.g. zabbix_server_custom.

Code:

# grep zabbix_t /var/log/audit/audit.log | audit2allow -M zabbix_server_custom

You can look at the contents of the created file in the current directory.

Load newly created Zabbix server policy module into the current SELinux policy.

Code:

# semodule -i zabbix_server_custom.pp

Zabbix server might not be able to start properly due to still missing SELinux rules.

Repeat this set of commands at least three times and check the Zabbix server log after each of them. It is because every time a new SELinux rule is added Zabbix server gets a step further and gets logged into audit log. Thus it is possible to pick up new issues and add them to the custom SELinux policy.

Remove the policy files after they have been added successfully.

Code:

# rm zabbix_server_custom.*

You may want to review these settings as well:

Code:

# getsebool -a | grep zabbix

And permanently enable them if needed:

Code:

# setsebool -P zabbix_can_network=1

Hope this helps.

**Nothing497** · 17-10-2018, 13:49

Hi Ingus,
Thanks for your reply.
I followed your instructions (I repeat the sequence 7 times),
At first I couldn't start zabbix-server daemon, but now it seems that it's starting and running fine.
But I feel like there are still things denied by SELinux :

Code:

type=SYSCALL msg=audit(1539775642.070:1541): arch=c000003e syscall=87 success=no exit=-13 a0=55db6c8f0a20 a1=0 a2=7f3482eb27b8 a3=40 items=0 ppid=2098 pid=2131 auid=4294967295 uid=998 gid=996 euid=998 suid=998 fsuid=998 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server_mysql" subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(1539775642.073:1542): avc:  denied  { unlink } for  pid=2132 comm="zabbix_server" name="zabbix_server_preprocessing.sock" dev="tmpfs" ino=19182 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1539775642.073:1542): arch=c000003e syscall=87 success=no exit=-13 a0=55db6c8f0a20 a1=0 a2=7f3482eb27b8 a3=40 items=0 ppid=2098 pid=2132 auid=4294967295 uid=998 gid=996 euid=998 suid=998 fsuid=998 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server_mysql" subj=system_u:system_r:zabbix_t:s0 key=(null)

Do I have to repeat this set of commands again ? Until there is nothing denied in /var/log/audit/audit.log ?
Or is there something to do with mysql / mariadb ?

In addition, the frontend looks like it's trying to get data but it's also denied

These settings looks good to me :

Code:

[root@VZABBIX ~]# getsebool -a | grep zabbix
httpd_can_connect_zabbix --> on
zabbix_can_network --> on
[root@VZABBIX ~]#

Again, thank you for your help.

**ingus.vilnis** · 17-10-2018, 14:19

Did you look at what is in zabbix_server.log file?

For that one audit error you can run:

Code:

restorecon -R -v /run/zabbix/zabbix_server_preprocessing.sock

But for the frontend errors no idea as I can't see what is in that screenshot. Better paste it as text.

**Nothing497** · 17-10-2018, 14:40

Woops sorry about that, here it is :

Code:

[LIST][*]session_start(): open(/var/lib/php/session/sess_npqd9riighne7qgba5ob40tpg4, O_RDWR) failed: Permission denied (13) [zabbix.php:21 → require_once() → ZBase->run() → ZBase->processRequest() → CController->__construct() → CSession::start() → session_start() in include/classes/core/CSession.php:49][*]session_write_close(): open(/var/lib/php/session/sess_npqd9riighne7qgba5ob40tpg4, O_RDWR) failed: Permission denied (13) [zabbix.php:21 → require_once() → ZBase->run() → ZBase->processRequest() → CController->__construct() → CSession::start() → session_write_close() in include/classes/core/CSession.php:53][*]session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) [zabbix.php:21 → require_once() → ZBase->run() → ZBase->processRequest() → CController->__construct() → CSession::start() → session_write_close() in include/classes/core/CSession.php:53][*]session_start(): open(/var/lib/php/session/sess_npqd9riighne7qgba5ob40tpg4, O_RDWR) failed: Permission denied (13) [zabbix.php:21 → require_once() → ZBase->run() → ZBase->processRequest() → CController->run() → CControllerDashboardView->checkInput() → CController->validateInput() → CSession::keyExists() → CSession::open() → session_start() in include/classes/core/CSession.php:138][*]session_write_close(): open(/var/lib/php/session/sess_npqd9riighne7qgba5ob40tpg4, O_RDWR) failed: Permission denied (13) [zabbix.php:21 → require_once() → ZBase->run() → ZBase->processRequest() → CController->run() → CControllerDashboardView->checkInput() → CController->validateInput() → CSession::keyExists() → CSession::close() → session_write_close() in include/classes/core/CSession.php:149][*]session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) [zabbix.php:21 → require_once() → ZBase->run() → ZBase->processRequest() → CController->run() → CControllerDashboardView->checkInput() → CController->validateInput() → CSession::keyExists() → CSession::close() → session_write_close() in include/classes/core/CSession.php:149][/LIST]

EDIT : No more audit error after running

Code:

 # restorecon -R -v /run/zabbix/zabbix_server_preprocessing.sock

Thanks !

EDIT 2 : It seems that httpd is denied by SELinux :

Code:

type=SYSCALL msg=audit(1539780188.206:696): arch=c000003e syscall=2 success=no exit=-13 a0=7fffecebd880 a1=42 a2=180 a3=0 items=0 ppid=976 pid=1842 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1539780188.206:696): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=AVC msg=audit(1539780188.206:697): avc:  denied  { read write } for  pid=1842 comm="httpd" name="sess_npqd9riighne7qgba5ob40tpg4" dev="dm-0" ino=415943 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1539780188.206:697): arch=c000003e syscall=2 success=no exit=-13 a0=7fffecebd9e0 a1=42 a2=180 a3=1 items=0 ppid=976 pid=1842 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1539780188.206:697): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44

**ingus.vilnis** · 17-10-2018, 14:48

Do the errors go away with SELinux in permissive?

Code:

setenforce 0

And reload the page?

Could be this one: https://stackoverflow.com/questions/...es-are-created

**Nothing497** · 17-10-2018, 14:51

Yes indeed !
But no luck with these commands :

Code:

[root@VZABBIX ~]# restorecon -v "/var/lib/php/session"
[root@VZABBIX ~]# semanage fcontext -a -t httpd_sys_rw_content_t /var/lib/php/session
[root@VZABBIX ~]# systemctl restart httpd
[root@VZABBIX ~]#

**ingus.vilnis** · 17-10-2018, 15:02

Then search audit log for the php session directory and try to create a policy in the same manner as you did for Zabbix server.

Or search for best SELinux practice for your web server and php version. There were articles on the same permission topic, you might find your answer there.

**Nothing497** · 17-10-2018, 15:05

Apparently I solved this last problem by executing these commands :

Code:

[root@VZABBIX ~]# grep httpd_t /var/log/audit/audit.log | audit2allow -M httpd_custom
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i httpd_custom.pp

[root@VZABBIX ~]# semodule -i httpd_custom.pp

Thank you very much Ingus !

**ingus.vilnis** · 17-10-2018, 15:06

Awesome! You did it! Good lesson learned.

**Nothing497** · 17-10-2018, 15:16

Yep, I'm not sure of what I just allowed by running this, but it's working !
Hopefully I'm done with the setup of SELinux. Cheers !

**nibble** · 12-07-2019, 11:21

If your service " zabbix-agent.the service " is not started after rebooting the system with enabled selinux:
yum install policycoreutils-python
semanage permissive -a zabbix_agent_t

**davood** · 20-02-2022, 18:44

Hi
it works for centos 7 and zabbix 5, but it dosent work on zabbix 6 and rocky 8.5. what can I do?
it doesn't work yum install python-policycoreutils because install: missing destination file operand after 'python-policycoreutils'
Try 'install --help' for more information.

I used it yum install python3-policycoreutils but when I I can't run grep zabbix_t /var/log/audit/audit.log | audit2allow -M zabbix_server_custom because -bash: audit2allow: command not found

**davood** · 21-02-2022, 06:37

Thanks a lot. I used # dnf install policycoreutils-python-utils and fixed the problem. Thank you so much.
why we must use # dnf install policycoreutils-python-utils?

Ad Widget

SELinux and Zabbix ..

SELinux and Zabbix ..

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment