1

I have a question similar to this : Zabbix server SELinux policy

but a little different: I have a Zabbix server running on a RHEL 6 ,when I enable selinux , I got this error:

Error connecting to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)

then I found some error messages from /var/log/message :

Jun  1 00:19:02 ns1 setroubleshoot: SELinux is preventing /usr/sbin/httpd from write access on the sock_file mysql.sock. For complete SELinux messages. run sealert -l 65dd779a-a01b-42de-9aaf-65795758aba1

and 

Jun  1 00:04:52 ns1 setroubleshoot: SELinux is preventing /usr/sbin/zabbix_server_mysql from search access on the directory /var/lib/mysql. For complete SELinux messages. run sealert -l bdfa536a-e059-4598-8284-4d40c218078f

then I followd the suggestions:

[root@ns1 ~]# sealert -l 65dd779a-a01b-42de-9aaf-65795758aba1


SELinux is preventing /usr/sbin/httpd from write access on the sock_file mysql.sock.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that httpd should be allowed write access on the mysql.sock sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:zabbix_exec_t:s0
Target Objects                mysql.sock [ sock_file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>

......

then I executed the command:

grep httpd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

after that ,problem 1 was solve,but it says Zabbix server is not running, so I followed the suggestion upon to solve problem 2:

[root@ns1 ~]# sealert -l bdfa536a-e059-4598-8284-4d40c218078f

SELinux is preventing /usr/sbin/zabbix_server_mysql from search access on the directory /var/lib/mysql.

......

You can generate a local policy module to allow this access. Do allow this access for now by executing:

grep zabbix_server /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

......

[root@ns1 ~]# grep zabbix_server /var/log/audit/audit.log | audit2allow -M mypol

[root@ns1 ~]# semodule -i mypol.pp

after I executed the command to solve problem2 , the problem 1 happend again, please tell me what to do, I don't want to disable selinux,thanks a lot. by the way ,I have already set httpd_can_network_connect=1

database connect error screenshot

Alexander Tolkachev
  • 4,608
  • 3
  • 14
  • 23
feitat
  • 11
  • 5

1 Answers1

0

I know this is very old but I ran into the same issues when installing Zabbix 5.

After running

# dnf -y install policycoreutils-python-utils
# grep "denied.*zabbix" /var/log/audit/audit.log | audit2allow -M zabbix_policy
# semodule -i zabbix_policy.pp

as described in e.g. https://bestmonitoringtools.com/how-to-install-zabbix-server-on-centos-or-rhel/#Step_12_Enable_and_configure_SELinux_on_Zabbix I also had to run

grep "denied.*php-fpm" /var/log/audit/audit.log | audit2allow -M php-fpm_policy
semodule -i php-fpm_policy.pp

These commands in combination with

setsebool -P httpd_can_connect_zabbix 1
setsebool -P zabbix_can_network 1
setenforce 1 && sed -i 's/^SELINUX=.*/SELINUX=enforcing/g' /etc/selinux/config

allowed me to fully use Zabbix with SELinux enabled.

Montellese
  • 1