Bug 1658352 - SELinux denied create sock for zabbix_server
Summary: SELinux denied create sock for zabbix_server
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6-Alt
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On:
Blocks: 1683820
TreeView+ depends on / blocked
Reported: 2018-12-11 20:26 UTC by Roman
Modified: 2019-02-28 19:00 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1683820 (view as bug list)
Last Closed: 2019-02-28 19:00:20 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Roman 2018-12-11 20:26:22 UTC
Description of problem:
zabbix-server can't start:
cat /var/log/zabbix/zabbix_server.log | grep "Cannot bind socket"
cannot start preprocessing service: Cannot bind socket to "/var/run/zabbix/zabbix_server_preprocessing.sock": [13] Permission denied.
cannot start alert manager service: Cannot bind socket to "/var/run/zabbix/zabbix_server_alerter.sock": [13] Permission denied.

cat /var/log/audit/audit.log | grep avc
type=AVC msg=audit(1544546167.438:8697): avc:  denied  { create } for  pid=18048 comm="zabbix_server" name="zabbix_server_alerter.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1544546167.442:8698): avc:  denied  { create } for  pid=18049 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0

Bug on zabbix bug-tracker

require {
type zabbix_var_run_t;
type zabbix_t;
class sock_file { create unlink };
class unix_stream_socket connectto;

Comment 2 Zdenek Pytela 2019-02-28 19:00:20 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Note You need to log in before you can comment on or make changes to this bug.