1418860 – SELinux does not allow zabbix agent to access redis tcp socket

Bug 1418860 - SELinux does not allow zabbix agent to access redis tcp socket

Summary: SELinux does not allow zabbix agent to access redis tcp socket

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-02-02 22:26 UTC by Andreas Freudenreich
Modified:	2018-10-30 10:00 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-203.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 09:59:46 UTC
Target Upstream Version:

Attachments	(Terms of Use)
output from audit2allow -a (222 bytes, text/plain) 2017-02-02 22:26 UTC, Andreas Freudenreich	no flags	Details
output from audit2allow -w -a (186.66 KB, text/plain) 2017-02-02 22:28 UTC, Andreas Freudenreich	no flags	Details
output from 'ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today' (553.34 KB, text/x-vhdl) 2017-02-03 20:31 UTC, Andreas Freudenreich	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3111	0	None	None	None	2018-10-30 10:00:50 UTC

Description Andreas Freudenreich 2017-02-02 22:26:57 UTC

Created attachment 1247256 [details]
output from audit2allow -a

Description of problem:
I tried to set up a zabbix userparameter which uses redis-cli to retrieve redis stats. The zabbix GUI complains with "could not connect to redis at 127.0.0.1:6379: permission denied". When I turn of selinux, it works. Setting the "zabbix_can_network"sebool to "on" does not help.
audit2allow shows a missing type enforcement allow rule from zabbix_agent_t to redis_port_t:tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy 3.13.1-102.el7_3.13
zabbix-agent 2.4.6-1.el7
redis 3.2.4-1

How reproducible: always


Steps to Reproduce:
1.setup zabbix userparameter using the redis-cli
2.set up and observe a zabbix item for redis in the zabbix server

Actual results:
Zabbix server GUI shows error: "could not connect to redis at 127.0.0.1:6379: permission denied"

Expected results:
No error - zabbix should have access to the redis tcp port

Additional info:

Comment 1 Andreas Freudenreich 2017-02-02 22:28:35 UTC

Created attachment 1247257 [details]
output from audit2allow -w -a

Comment 2 Milos Malik 2017-02-03 08:33:55 UTC

Could you collect raw SELinux denials and attach them here?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you

Comment 4 Andreas Freudenreich 2017-02-03 20:31:38 UTC

Created attachment 1247572 [details]
output from 'ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today'

Comment 10 errata-xmlrpc 2018-10-30 09:59:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.