Ad Widget

**pc99096** · 09-12-2011, 15:08

working, thanks a lot

**hairyairey** · 09-12-2011, 16:02

No problem

I haven't tested whether this change survives a reboot or relabel. I'll test this now and let you know

**hairyairey** · 09-12-2011, 16:54

Doesn't survive a reboot

I even tried removing the access to the port with

semanage port -d -t http_port_t -p tcp 10051

Restarting Apache and adding the permission again. I'll work on this over the weekend, for now this is what I'm getting in /var/log/audit/audit.log:

type=AVC msg=audit(1323442115.704:20): avc: denied { name_connect } for pid=1421 comm="httpd" dest=10051 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u

bject_r

ort_t:s0 tclass=tcp_socket

**hairyairey** · 15-12-2011, 19:08

Oops I'm an idiot

Yes, it does work after a reboot, I had forgotten to set zabbix-server to start automatically...

**daguirre81** · 21-01-2012, 11:29

Modifying SELINUX to make it work

The root cause of this problem is because SELINUX enforcement..
you can check the selinux log, every time the zabbix agent tries to check whether zabbix server is running, it causes a violation on SELINUX.

For checking SELINUX violations:
tail -f /var/log/audit/audit.log |grep -i avc
you should get something similar:

type=AVC msg=audit(1327136033.974:16979): avc: denied { name_connect } for pid=30840 comm="httpd" dest=10051 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u

bject_r

ort_t:s0 tclass=tcp_socket

For adding the policy:
(From http://www.centos.org/modules/newbb/...?topic_id=8696)

[root@example]# audit2allow -a -m local > local.te
[root@example]# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to local.mod
[root@example]# semodule_package -o local.pp -m local.mod
[root@example]# semodule -i ./local.pp

After this restart the zabbix-agent and it works now without disabling SELINUX
Hope this helps

**wrathchildtoo** · 23-01-2012, 17:09

selinux blocks snmptrap.sh

Hi all!
Does anybody know how to create a police to allow snmtrapd to execute snmptrap.sh script? And where is to be placed snmptrep.sh script? Rihard Olups in "Zabbix 1.8 network monitoring" place it to /home/zabbix/bin/. Is it secure?

Testing snmptrap.sh I run:

Code:

snmptrap -Ci -v 2c -c public localhost "" "NET-SNMP-MIB::netSnmpExperimental" NET-SNMP-MIB::netSnmpExperimental s "test"

after that I run:

Code:

grep snmptrap /var/log/audit/audit.log

and got such an output:

type=AVC msg=audit(1327312258.773:80712): avc: denied { read } for pid=15854 comm="bash" name="snmptrap.sh" dev=dm-0 ino=150920 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u

bject_r:home_bin_t:s0 tclass=file

sestatus

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted

**jsantiago** · 21-06-2012, 05:28

Originally posted by leonidasklein

Hi I'm implementing a zabbix server on the corporation I work. All tests i have made with zabbix on VMs have worked. But, now I'm configuring it on a real host and on the dashboard It keeps showing that zabbix server is not working. I already have checked server log and apparently there is no error message.

Can someone give me a hande trying to fix this? Thank you.

Hi,

I am also experiencing the same issue. I was reading through your post and you said disabling SELinux is the solution to the problem.

May I know if you also had the same Configuration-Hosts (Notice the Availability, Zabbix Agent seems to be greyed out.)

**mir.jar** · 14-08-2012, 08:14

Hi guys,
I get this error:

Code:

8909:20120813:153713.521 Starting Zabbix Server. Zabbix 2.0.2 (revision 29214).
  8909:20120813:153713.522 ****** Enabled features ******
  8909:20120813:153713.522 SNMP monitoring:           YES
  8909:20120813:153713.522 IPMI monitoring:            NO
  8909:20120813:153713.522 WEB monitoring:            YES
  8909:20120813:153713.522 Jabber notifications:       NO
  8909:20120813:153713.522 Ez Texting notifications:  YES
  8909:20120813:153713.522 ODBC:                       NO
  8909:20120813:153713.522 SSH2 support:               NO
  8909:20120813:153713.522 IPv6 support:              YES
  8909:20120813:153713.522 ******************************
  8909:20120813:153713.538 listener failed: socket() for [[-]:10051] failed: [22] Invalid argument

and this one:

Code:

 8915:20120813:153740.062 Starting Zabbix Agent [Zabbix server]. Zabbix 2.0.2 (revision 29214).
  8915:20120813:153740.066 listener failed: socket() for [[-]:10050] failed: [22] Invalid argument

this:
semanage port -d -t http_port_t -p tcp 10051
didn't help.

any ideas?

**mir.jar** · 14-08-2012, 08:21

zabbix-server and zabbix-agent didn't start.
when I try:

Code:

./zabbix-server start

I get:

Code:

Starting Zabbix server daemon: zabbix_server

but, if I try restart it, I get:

Code:

Stopping Zabbix server daemon: zabbix_server
No zabbix_server found running; none killed.
Starting Zabbix server daemon: zabbix_server

I was looking in syslog, but there is nothing about this.

EDIT:
I don't see zabix in running processes.

**anitakrueger** · 06-09-2012, 07:37

selinux boolean will do the trick as well

Disabling SELinux is a bad idea all around. Not sure why people keep suggesting it.

daguirre81 is right with the policy. But there is a much easier way. Just enable the boolean httpd_can_network_connect.

[root@local]# getsebool httpd_can_network_connect
httpd_can_network_connect --> off
[root@local]# setsebool httpd_can_network_connect on
[root@local]# getsebool httpd_can_network_connect
httpd_can_network_connect --> on

setsebool with -P will persist the change across reboots.

**humayunshafiq** · 05-12-2012, 11:42

but from where i need to change that.. i mean in which file i found this

**anitakrueger** · 05-12-2012, 20:30

What exactly do you mean? "getsebool" and "setsebool" are SELinux api commands. You shouldn't have to touch any files.

Ad Widget

Zabbix server is running = no

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment