Bug 1418860 - SELinux does not allow zabbix agent to access redis tcp socket
Summary: SELinux does not allow zabbix agent to access redis tcp socket
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-02 22:26 UTC by Andreas Freudenreich
Modified: 2018-10-30 10:00 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-203.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 09:59:46 UTC
Target Upstream Version:


Attachments (Terms of Use)
output from audit2allow -a (222 bytes, text/plain)
2017-02-02 22:26 UTC, Andreas Freudenreich
no flags Details
output from audit2allow -w -a (186.66 KB, text/plain)
2017-02-02 22:28 UTC, Andreas Freudenreich
no flags Details
output from 'ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today' (553.34 KB, text/x-vhdl)
2017-02-03 20:31 UTC, Andreas Freudenreich
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:00:50 UTC

Description Andreas Freudenreich 2017-02-02 22:26:57 UTC
Created attachment 1247256 [details]
output from audit2allow -a

Description of problem:
I tried to set up a zabbix userparameter which uses redis-cli to retrieve redis stats. The zabbix GUI complains with "could not connect to redis at 127.0.0.1:6379: permission denied". When I turn of selinux, it works. Setting the "zabbix_can_network"sebool to "on" does not help.
audit2allow shows a missing type enforcement allow rule from zabbix_agent_t to redis_port_t:tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy 3.13.1-102.el7_3.13
zabbix-agent 2.4.6-1.el7
redis 3.2.4-1

How reproducible: always


Steps to Reproduce:
1.setup zabbix userparameter using the redis-cli
2.set up and observe a zabbix item for redis in the zabbix server

Actual results:
Zabbix server GUI shows error: "could not connect to redis at 127.0.0.1:6379: permission denied"

Expected results:
No error - zabbix should have access to the redis tcp port

Additional info:

Comment 1 Andreas Freudenreich 2017-02-02 22:28:35 UTC
Created attachment 1247257 [details]
output from audit2allow -w -a

Comment 2 Milos Malik 2017-02-03 08:33:55 UTC
Could you collect raw SELinux denials and attach them here?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you

Comment 4 Andreas Freudenreich 2017-02-03 20:31:38 UTC
Created attachment 1247572 [details]
output from 'ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today'

Comment 10 errata-xmlrpc 2018-10-30 09:59:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.