Bug 1418860
| Summary: | SELinux does not allow zabbix agent to access redis tcp socket | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Andreas Freudenreich <andreas.freudenreich> | ||||||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 7.3 | CC: | andreas.freudenreich, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | x86_64 | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | selinux-policy-3.13.1-203.el7 | Doc Type: | If docs needed, set a value | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2018-10-30 09:59:46 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 1247257 [details]
output from audit2allow -w -a
Could you collect raw SELinux denials and attach them here? # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today Thank you Created attachment 1247572 [details]
output from 'ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |
Created attachment 1247256 [details] output from audit2allow -a Description of problem: I tried to set up a zabbix userparameter which uses redis-cli to retrieve redis stats. The zabbix GUI complains with "could not connect to redis at 127.0.0.1:6379: permission denied". When I turn of selinux, it works. Setting the "zabbix_can_network"sebool to "on" does not help. audit2allow shows a missing type enforcement allow rule from zabbix_agent_t to redis_port_t:tcp_socket Version-Release number of selected component (if applicable): selinux-policy 3.13.1-102.el7_3.13 zabbix-agent 2.4.6-1.el7 redis 3.2.4-1 How reproducible: always Steps to Reproduce: 1.setup zabbix userparameter using the redis-cli 2.set up and observe a zabbix item for redis in the zabbix server Actual results: Zabbix server GUI shows error: "could not connect to redis at 127.0.0.1:6379: permission denied" Expected results: No error - zabbix should have access to the redis tcp port Additional info: