Sunday, September 28, 2014

Zabbix on Centos/RHEL 6.5 : Fixing SELinux Errors

One of my Openshift Origin servers have lots of these messages in the /var/log/messages :

Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 4dbe6e60-5c4e-47cb-9b7d-040260fc38e0
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a


The errors are somewhat related to ZBX-7537 bug report. Anyway, following the links there takes us to Red Hat BZ 1032691 - [selinux policy] Zabbix agent monitoring access denied. The cure is to create a selinux module fixing these errors, lets call it zabbix-fix. You may call it something else but beware that the module name inside the TE file must match with the TE filename and PP filename.
zabbix-fix.te

policy_module(zabbix-fix, 1.0)

require{
 type zabbix_agent_t;
 type zabbix_t;
 type ping_t;
 type zabbix_tmp_t;
}

allow ping_t zabbix_tmp_t:file read_file_perms;
allow ping_t zabbix_t:tcp_socket { read write };

kernel_read_network_state(zabbix_agent_t)
domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)
corenet_tcp_connect_all_ports(zabbix_agent_t)

Create the file zabbix-fix.te with above contents, compile the module and install it.
make -f /usr/share/selinux/devel/Makefile zabbix-fix.pp
semodule -i zabbix-fix.pp
After the module was installed, the errors no longer shows in /var/log/messages.

Summary

We need to install a custom SELinux policy module to enable Zabbix on RHEL/CentOS 6.5 servers.

No comments: