Description of problem:
zabbix-agent on systems in which selinux is enabled will not run properly in many cases due to an AVC violation. The zabbix-selinux package is designed to prevent problems such as AVC violations in relation to zabbix.

At least with RHEL9, and probably also with RHEL8, the netlink_tcpdiag_socket permission is insufficient. The "create" flag is also needed for the agent to monitor local services on the host via tcp. 

Version-Release number of selected component (if applicable):
6.0.40.1.el9

How reproducible:
Depends on zabbix-host configuration. 

Steps to Reproduce:
1. install zabbix-agent and zabbix-selinux policy packages
2. configure agent to connect from a server with active-mode
3. configure zabbix-server to check TCP ports (such as ssh).

Actual results:

"ausearch -i" output:

type=PROCTITLE msg=audit(09/10/2025 03:09:10.857:524) : proctitle=/usr/sbin/zabbix_agentd -f
type=SYSCALL msg=audit(09/10/2025 03:09:10.857:524) : arch=x86_64 syscall=socket success=no exit=EAFNOSUPPORT(Address family not supported by protocol) a0=inet6 a1=SOCK_STREAM a2=tcp a3=0x7ffd220128d4 items=0 ppid=1 pid=88353 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
type=AVC msg=audit(09/10/2025 03:09:10.857:524) : avc:  denied  { module_request } for  pid=88353 comm=zabbix_agentd kmod="net-pf-10" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

Expected results:

no error logs

Additional info:

A policy of 

  module uibk_zabbix_tcpdiag 1.0;

  require {
    type zabbix_agent_t;
    class netlink_tcpdiag_socket { create nlmsg_read setopt };
  }

appears to resolve the issue, but this code should be merged and combined with the source .te file.