730404 – Zabbix Web-Interface falsely reports Zabbix-Server as down when running in SELinux enforced mode

Bug 730404 - Zabbix Web-Interface falsely reports Zabbix-Server as down when running in SELinux enforced mode

Summary: Zabbix Web-Interface falsely reports Zabbix-Server as down when running in SE...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	zabbix
Sub Component:
Version:	el6
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Dan Horák
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-12 19:32 UTC by Joti
Modified:	2016-10-05 10:47 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-10-05 10:47:21 UTC
Type:	---
Embargoed:

Attachments	(Terms of Use)

Description Joti 2011-08-12 19:32:52 UTC

User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1

I installed Zabbix 1.8.5-2.el6 from the EPEL on a fresh CentOS6 box with SELinux enforcing policy by default.

All components install an run fine. Web Interface anyhow shows the Zabbix-Server as although the rest is shown fine. Connectivity issues can be ruled out (Web-IF on localhost as well as server, configfiles correct).

Setting SELinux to permissive fixes this issue, and Zabbix Web shows the server as up. 
The Zabbix-Forum has this entry http://www.zabbix.com/forum/showpost.php?p=10460&postcount=10 which describes what the Zabbix-Web needs to access to recognize the status of the server process, maybe it helps adapting the SELiunx policy.

Reproducible: Always

Actual Results:  
Zabbix-Web does not report Zabbix-Server status correct.

Expected Results:  
Zabbix-Web Interface should report Zabbix-Server status correct.

The Zabbix-Forum has this entry http://www.zabbix.com/forum/showpost.php?p=10460&postcount=10 which describes what the Zabbix-Web needs to access to recognize the status of the server process, maybe it helps adapting the SELiunx policy.

Comment 1 Hairy Airey 2011-12-14 22:06:22 UTC

The quoted Zabbix Forum link is out of date - this is more up to date

http://www.zabbix.com/forum/showthread.php?t=23878

Note that the solution I have quoted:

semanage port -a -t http_port_t -p tcp 10051

works, but not after a reboot. I am still working on a solution will post it here and in the Zabbix Forum when I get one.

Comment 2 David Kovalsky 2012-04-09 01:00:44 UTC

One of the solutions is to turn on one this boolean: httpd_can_network_connect 

Run `setsebool  httpd_can_network_connect=1' to have it persistent.

Comment 3 Paul Wouters 2012-05-28 15:19:47 UTC

this problem is still not resolved....

Comment 4 Volker Fröhlich 2013-10-03 20:46:40 UTC

I added a note on the 2.0.8-3 README. David's suggestion is a bit too permissive. In the README I suggest to audit2allow and create a policy module to make it persistent.

Comment 5 Paul Wouters 2013-10-03 21:56:43 UTC

A README will not help a user. The package should work when installed by the user.

Comment 6 richlv 2013-11-28 15:08:04 UTC

on 6.4, being close to disabling selinux, i opted for httpd_can_network_connect. given that i suspect ldap auth also to require connectivity, this should save the remaining sanity i might have :)

Comment 7 Volker Fröhlich 2016-10-05 10:47:21 UTC

Since I can't think of a better solution than that and it being documented, I guess we can close this issue.

Note You need to log in before you can comment on or make changes to this bug.