I have been playing with Zabbix 4.0.1 on CentOS 7 and I noticed that if the SELinux is turned on, the server won't start. I investigated for a denials the audit.log with ausearch and this is what I got from my system:
# ausearch -m avc -c zabbix
time->Thu Nov 8 16:06:07 2018
type=PROCTITLE msg=audit(1541685967.785:315): proctitle=2F7573722F7362696E2F7A61626269785F7365727665723A20616C657274206D616E61676572202331207374617274696E67
type=SYSCALL msg=audit(1541685967.785:315): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7ffc2589bd50 a2=6e a3=8 items=0 ppid=12052 pid=12085 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server_mysql" subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(1541685967.785:315): avc: denied { create } for pid=12085 comm="zabbix_server" name="zabbix_server_alerter.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file
----
time->Thu Nov 8 16:06:17 2018
type=PROCTITLE msg=audit(1541685977.984:320): proctitle=2F7573722F7362696E2F7A61626269785F7365727665723A2070726570726F63657373696E67206D616E61676572202331207374617274696E67
type=SYSCALL msg=audit(1541685977.984:320): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7ffc8e09ec20 a2=6e a3=8 items=0 ppid=12108 pid=12142 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server_mysql" subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(1541685977.984:320): avc: denied { create } for pid=12142 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file
----
The Zabbix server process took ages to shutdown and even restarting the whole VM took very long time. I turned off SELinux and the problem disappeared. However I like SELinux and I want to have it on. I decided to dig a little and find why the zabbix_t context can't write on zabbix_var_run_t context. So I executed:
# sepolicy transition -t zabbix_tAnd I got the following error:
ValueError: zabbix_var_run_t must be an SELinux process domain:The output is pretty big, but I truncated the most interesting part. It appears that the zabbix_var_run_t context is not defined at all. So I decided to put only to permissive the zabbix_t context and left the SELinux in enforcing mode.
Valid domains: abrt_t, abrt_dump_oops_t, abrt_handle_event_t, abrt_helper_t.........
# semanage permissive -a zabbix_t
You can checked for sure with:
# semodule -l | grep permissiveAnd now restarting the Zabbix server isn't a problem and we still have SELinux running.
Info about SELinux troubleshooting gathered from RedHat Documentation.
