Announcement

Collapse
No announcement yet.

Zabbix 3.4 documentation SELinux

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

    Zabbix 3.4 documentation SELinux

    Hi!
    I have had some problem getting zabbix 3.4 to work on CentOS7 and it seems I´m not alone with zabbix-server.service refusing to start.

    In the docs, at 4 - Installation - 4 - Installation from packages - 1 - RHEL/CentOS
    There is a section about SELinux in enforced mode and suggested solution is
    # setsebool -P httpd_can_connect_zabbix on

    Bu this doesn´t seem to work, or isn´t enough...

    These are the error messages that I get:
    1. Job for zabbix-server.service failed because a configured resource limit was exceeded. See "systemctl status zabbix-server.service" and "journalctl -xe" for details.
    2. PID file /run/zabbix/zabbix_server.pid not readable (yet?) after start.

    I have tried quite a few suggestions from different forums as well as zabbix bug reports.
    For example:
    Reinstall OS, reinstall Zabbix, database and everything else.
    Restarted services, network, and so on...

    # install policycoreutils-python
    # cat /var/log/audit/audit.log | grep zab | audit2allow -M zabbix-server
    # semodule -i zabbix-server.pp

    # setsebool -P httpd_can_network_connect on
    # setsebool -P httpd_can_connect_zabbix on
    # setsebool -P zabbix_can_network on
    Disable the firewall etc...

    When I disabled the firewall, the service actually started just to shut down again a second later.

    The only thing I have found that solve this for me is to set SElinux to permissive, which still result in error message nr2 above but the service stays active and seem to work in my frontend.

    So... my suggestion is to change the documentation to recommend disabling SELinux (set premissive) until a bugfix is in place.

    Hope this wasn´t TL/DR

    #2
    Have you tried troubleshooting ?
    For example:
    sealert -a /var/log/audit/audit.log

    Comment


      #3
      Originally posted by vso View Post
      Have you tried troubleshooting ?
      For example:
      sealert -a /var/log/audit/audit.log
      i also have the same issue:
      Job for zabbix-server.service failed because a configured resource limit was exceeded. See "systemctl status zabbix-server.service" and "journalctl -xe" for details.

      [[email protected] ~]# sudo systemctl status zabbix-server
      ● zabbix-server.service - Zabbix Server
      Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; vendor preset: disabled)
      Active: activating (auto-restart) (Result: resources) since Sat 2017-09-23 14:18:33 EEST; 1s ago
      Process: 18084 ExecStop=/bin/kill -SIGTERM $MAINPID (code=exited, status=1/FAILURE)
      Process: 15745 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS)
      Main PID: 18083 (code=exited, status=1/FAILURE)

      Sep 23 14:18:33 NGSRV3 systemd[1]: zabbix-server.service never wrote its PID file. Failing.
      Sep 23 14:18:33 NGSRV3 systemd[1]: Failed to start Zabbix Server.
      Sep 23 14:18:33 NGSRV3 systemd[1]: Unit zabbix-server.service entered failed state.
      Sep 23 14:18:33 NGSRV3 systemd[1]: zabbix-server.service failed.

      And the command suggested by you does not show anything:

      Sep 23 14:18:33 NGSRV3 systemd[1]: zabbix-server.service failed.
      [[email protected] ~]# sealert -a /var/log/audit/audit.log
      100% done
      found 0 alerts in /var/log/audit/audit.log

      What elso to do/check?

      Comment


        #4
        There are many possibilities to analyse, this one is good:
        https://fedoramagazine.org/troubleshooting-selinux/

        Comment


          #5
          Try
          semanage permissive -a zabbix_agent_t

          Comment


            #6
            I'm using this selinux policy file on top of the already mentioned booleans, and that seems to work. Had to update it a bit with new policies when upgrading from 3.2 to 3.4 (name this file `zabbix-server.te`):

            Code:
            module zabbix-server 1.0;
            
            require {
                type zabbix_t;
                type var_lib_t;
                type fs_t;
                type httpd_t;
                type http_cache_port_t;
                type tmp_t;
                class process setrlimit;
                class file { create append getattr open };
                class filesystem getattr;
                class tcp_socket name_connect;
                class sock_file { create write unlink };
            }
            
            #============= zabbix_t ==============
            allow zabbix_t self:process setrlimit;
            allow zabbix_t var_lib_t:file { create append getattr open };
            allow zabbix_t fs_t:filesystem getattr;
            allow httpd_t http_cache_port_t:tcp_socket name_connect;
            allow zabbix_t tmp_t:sock_file { create write unlink };
            use
            Code:
            checkmodule -M -m -o zabbix-server.mod zabbix-server.te
            and
            Code:
            semodule_package -o zabbix-server.pp -m zabbix-server.mod
            to create the .pp-file which you then install with
            Code:
            semodule -i zabbix-server.pp
            You were going well with the
            Code:
            cat /var/log/audit/audit.log | grep zab | audit2allow -M zabbix-server
            -method, however, the problem here is that zabbix requires the right to say, create a tmp_t:sock_file, which is where it fails to start, but once you give it that right (by creating and installing a policy that allows it to), it will try to write to that file (and later on unlink (delete) it).
            As such, you would need multiple runs in order to catch them all (or create your own policy-file and update it with whatever zabbix seems to need next).

            Note that this policy probably allows a few more things than zabbix minimally needs, but that is because of the things I need zabbix to be able to do on my end. You could try to remove some items and see if it still works, but I'm not going trough that hassle unless I really really have to.

            Good luck

            Comment

            Working...
            X