Bug 730404

Summary: Zabbix Web-Interface falsely reports Zabbix-Server as down when running in SELinux enforced mode
Product: [Fedora] Fedora EPEL Reporter: Joti <joti.mail>
Component: zabbixAssignee: Dan Horák <dan>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: el6CC: benl, dan, hairyairey, jeff, madko, nelsonab, richlv, volker27
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-05 10:47:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Joti 2011-08-12 19:32:52 UTC 
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1

I installed Zabbix 1.8.5-2.el6 from the EPEL on a fresh CentOS6 box with SELinux enforcing policy by default.

All components install an run fine. Web Interface anyhow shows the Zabbix-Server as although the rest is shown fine. Connectivity issues can be ruled out (Web-IF on localhost as well as server, configfiles correct).

Setting SELinux to permissive fixes this issue, and Zabbix Web shows the server as up. 
The Zabbix-Forum has this entry http://www.zabbix.com/forum/showpost.php?p=10460&postcount=10 which describes what the Zabbix-Web needs to access to recognize the status of the server process, maybe it helps adapting the SELiunx policy.

Reproducible: Always

Actual Results:  
Zabbix-Web does not report Zabbix-Server status correct.

Expected Results:  
Zabbix-Web Interface should report Zabbix-Server status correct.

The Zabbix-Forum has this entry http://www.zabbix.com/forum/showpost.php?p=10460&postcount=10 which describes what the Zabbix-Web needs to access to recognize the status of the server process, maybe it helps adapting the SELiunx policy.
Comment 1 Hairy Airey 2011-12-14 22:06:22 UTC 
The quoted Zabbix Forum link is out of date - this is more up to date

http://www.zabbix.com/forum/showthread.php?t=23878

Note that the solution I have quoted:

semanage port -a -t http_port_t -p tcp 10051

works, but not after a reboot. I am still working on a solution will post it here and in the Zabbix Forum when I get one.
Comment 2 David Kovalsky 2012-04-09 01:00:44 UTC 
One of the solutions is to turn on one this boolean: httpd_can_network_connect 

Run `setsebool  httpd_can_network_connect=1' to have it persistent.
Comment 3 Paul Wouters 2012-05-28 15:19:47 UTC 
this problem is still not resolved....
Comment 4 Volker Fröhlich 2013-10-03 20:46:40 UTC 
I added a note on the 2.0.8-3 README. David's suggestion is a bit too permissive. In the README I suggest to audit2allow and create a policy module to make it persistent.
Comment 5 Paul Wouters 2013-10-03 21:56:43 UTC 
A README will not help a user. The package should work when installed by the user.
Comment 6 richlv 2013-11-28 15:08:04 UTC 
on 6.4, being close to disabling selinux, i opted for httpd_can_network_connect. given that i suspect ldap auth also to require connectivity, this should save the remaining sanity i might have :)
Comment 7 Volker Fröhlich 2016-10-05 10:47:21 UTC 
Since I can't think of a better solution than that and it being documented, I guess we can close this issue.