Bug 1658352

Summary: SELinux denied create sock for zabbix_server
Product: Red Hat Enterprise Linux 7 Reporter: Roman <guard43ru>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6-AltCC: lvrabec, mgrepl, mmalik, plautrba, ssekidde, vmojzis, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1683820 (view as bug list) Environment:
Last Closed: 2019-02-28 19:00:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1683820    

Description Roman 2018-12-11 20:26:22 UTC 
Description of problem:
zabbix-server can't start:
cat /var/log/zabbix/zabbix_server.log | grep "Cannot bind socket"
cannot start preprocessing service: Cannot bind socket to "/var/run/zabbix/zabbix_server_preprocessing.sock": [13] Permission denied.
cannot start alert manager service: Cannot bind socket to "/var/run/zabbix/zabbix_server_alerter.sock": [13] Permission denied.

cat /var/log/audit/audit.log | grep avc
type=AVC msg=audit(1544546167.438:8697): avc:  denied  { create } for  pid=18048 comm="zabbix_server" name="zabbix_server_alerter.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1544546167.442:8698): avc:  denied  { create } for  pid=18049 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0

Bug on zabbix bug-tracker
https://support.zabbix.com/browse/ZBX-14626

require {
type zabbix_var_run_t;
type zabbix_t;
class sock_file { create unlink };
class unix_stream_socket connectto;
}
Comment 2 Zdenek Pytela 2019-02-28 19:00:20 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.