Bug 730404 - Zabbix Web-Interface falsely reports Zabbix-Server as down when running in SELinux enforced mode
Summary: Zabbix Web-Interface falsely reports Zabbix-Server as down when running in SE...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: zabbix
Version: el6
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-12 19:32 UTC by Joti
Modified: 2016-10-05 10:47 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-05 10:47:21 UTC


Attachments (Terms of Use)

Description Joti 2011-08-12 19:32:52 UTC
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1

I installed Zabbix 1.8.5-2.el6 from the EPEL on a fresh CentOS6 box with SELinux enforcing policy by default.

All components install an run fine. Web Interface anyhow shows the Zabbix-Server as although the rest is shown fine. Connectivity issues can be ruled out (Web-IF on localhost as well as server, configfiles correct).

Setting SELinux to permissive fixes this issue, and Zabbix Web shows the server as up. 
The Zabbix-Forum has this entry http://www.zabbix.com/forum/showpost.php?p=10460&postcount=10 which describes what the Zabbix-Web needs to access to recognize the status of the server process, maybe it helps adapting the SELiunx policy.

Reproducible: Always

Actual Results:  
Zabbix-Web does not report Zabbix-Server status correct.

Expected Results:  
Zabbix-Web Interface should report Zabbix-Server status correct.

The Zabbix-Forum has this entry http://www.zabbix.com/forum/showpost.php?p=10460&postcount=10 which describes what the Zabbix-Web needs to access to recognize the status of the server process, maybe it helps adapting the SELiunx policy.

Comment 1 Hairy Airey 2011-12-14 22:06:22 UTC
The quoted Zabbix Forum link is out of date - this is more up to date

http://www.zabbix.com/forum/showthread.php?t=23878

Note that the solution I have quoted:

semanage port -a -t http_port_t -p tcp 10051

works, but not after a reboot. I am still working on a solution will post it here and in the Zabbix Forum when I get one.

Comment 2 David Kovalsky 2012-04-09 01:00:44 UTC
One of the solutions is to turn on one this boolean: httpd_can_network_connect 

Run `setsebool  httpd_can_network_connect=1' to have it persistent.

Comment 3 Paul Wouters 2012-05-28 15:19:47 UTC
this problem is still not resolved....

Comment 4 Volker Fröhlich 2013-10-03 20:46:40 UTC
I added a note on the 2.0.8-3 README. David's suggestion is a bit too permissive. In the README I suggest to audit2allow and create a policy module to make it persistent.

Comment 5 Paul Wouters 2013-10-03 21:56:43 UTC
A README will not help a user. The package should work when installed by the user.

Comment 6 richlv 2013-11-28 15:08:04 UTC
on 6.4, being close to disabling selinux, i opted for httpd_can_network_connect. given that i suspect ldap auth also to require connectivity, this should save the remaining sanity i might have :)

Comment 7 Volker Fröhlich 2016-10-05 10:47:21 UTC
Since I can't think of a better solution than that and it being documented, I guess we can close this issue.


Note You need to log in before you can comment on or make changes to this bug.