| Summary: | [selinux policy] Zabbix agent monitoring access denied | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Miroslav Grepl <mgrepl> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 6.5 | CC: | bugzilla, dhamilton2007, dwalsh, eparis, fabian.arrotin, jarlebo, kwoodson, lucas.yamanishi, madko, mgrepl, mmalik, okun.sa, rene, rstory, ssekidde, tlavigne, volker27, wesley.schaft |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1032691 | Environment: | |
| Last Closed: | 2014-10-14 07:58:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1032691, 1038237 | ||
| Bug Blocks: | 1034076 | ||
|
Comment 2
Miroslav Grepl
2014-01-24 12:30:27 UTC
Do you happen to know when this update is going to ship? It will ship with the RHEL6.6 update. If you want to try it now, you can grab the latest selinux-policy package for RHEL6 from http://people.redhat.com/~dwalsh/SELinux/RHEL6 I have installed the latest policy (3.7.19-251) with Zabbix 2.2.5-1. The Zabbix source rpm was taken from fc21 and repackaged for el6 - I pretty much followed/implemented the changes applied to the Zabbix22 package available from EPEL with a few minor differences.
This seems to resolve all the problems I was previously getting with the denials for the agent. However, I did get one denial for the server:
type=AVC msg=audit(1408552583.666:87): avc: denied { read } for pid=1504 comm="zabbix_server" name="zabbix_server.log" dev=dm-2 ino=524322 scontext=system_u:system_r:zabbix_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
This was resolved with the following:
semanage fcontext -a -t zabbix_log_t "/var/log/zabbixsrv(/.*)?"
restorecon -Rv /var/log/zabbixsrv
Looks like the rule for labelling the 'new/separate' server log directory and files needs to be added to the policy.
Many Thanks,
Dan H
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |