How to get the Zabbix Puppet module to work with SELinux

Question

I'm writing a Puppet module to install Zabbix onto a Puppet agent. Everything is working as intended, but SELinux isn't playing nicely with Zabbix. I'm getting the following error from SELinux in the audit log:

type=AVC msg=audit(% audit_id): avc:  denied  { connect } for  pid=2383 comm="zabbix_agentd" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket permissive=0

I changed my Puppet class to look like this using this website as reference:

class { 'zabbix::agent':
    server => '<server_ip>',
        tlsaccept => 'psk',
        tlsconnect => 'psk',
        tlspskfile => $pskfilepath,
        tlspskidentity => $pskidentity,
        manage_selinux => true,
        selinux_require => [
            'type kernel_t',
            'type devlog_t',
            'type zabbix_agent_t',
            'class sock_file write',
            'class process setrlimit', 
            'class unix_dgram_socket {connect create sendto}',
    ],
    selinux_rules => { 'zabbix_agent_t' => [
            'allow zabbix_agent_t kernel_t:unix_dgram_socket sendto',
            'allow zabbix_agent_t self:process setrlimit',
            'allow zabbix_agent_t self:unix_dgram_socket { connect create }',
    ]
  }

Now, I'm getting this instead:

type=AVC msg=audit($audit_id): avc: denied { write } for pid=4293 comm="zabbix_agentd" name="log" dev="devtmpfs" ino=8160 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=0

It changed from { connect } to { write }, can anyone please tell me why SELinux isn't working well with Zabbix?

Ok, that makes sense from the Linux perspective. Do you recommend I run those commands with `exec` using Puppet to get it to work, or is there a better method using Puppet? — AndreasKralj, Feb 07 '19 at 22:31
I recommend you put together a policy module as described there, and then deploy it with puppet. — Michael Hampton, Feb 07 '19 at 22:33
@MichaelHampton it worked, thank you so much! You can put your comment as an answer and I'll accept it if you want. — AndreasKralj, Feb 07 '19 at 22:59

score 0 · Accepted Answer · answered Feb 20 '19 at 20:23

MichaelHampton helped me figure it out, I used the instructions from here to create 4 exec statements that would accomplish the goal. I surrounded it in an if statement to check to see if the Zabbix agent was running already, since running it when the Zabbix agent is already started causes it to error out. There might be a better way to do it but that's what I did and it works well. If anyone is getting errors with the exec statements, be sure to set the path attribute properly for each exec statement and it will work.

How to get the Zabbix Puppet module to work with SELinux

1 Answers1