Folks,
I've been playing around with getting Zabbix going for an environment, and it seems that with the base policies shipping with RHEL at present kill a lot of functionality from the Zabbix Agent when running in enforcing mode.
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
> from /var/log/audit.log
type=AVC msg=audit(1411624838.720:189661): avc: denied { getattr } for pid=1600 comm="zabbix_agentd" path="/proc/1568/cmdline" dev=proc ino=17063 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file
Anyone out there playing the same game and got it all sorted out? Making it work isn't such a problem, its just making another bespoke customisation that needs to be retained forevermore.
Auto-discovery doesn't work, along with a few other things
Thanks.
I've been playing around with getting Zabbix going for an environment, and it seems that with the base policies shipping with RHEL at present kill a lot of functionality from the Zabbix Agent when running in enforcing mode.
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
> from /var/log/audit.log
type=AVC msg=audit(1411624838.720:189661): avc: denied { getattr } for pid=1600 comm="zabbix_agentd" path="/proc/1568/cmdline" dev=proc ino=17063 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file
Anyone out there playing the same game and got it all sorted out? Making it work isn't such a problem, its just making another bespoke customisation that needs to be retained forevermore.
Auto-discovery doesn't work, along with a few other things
Thanks.
Comment