Last active
December 31, 2019 02:08
-
-
Save gnh1201/5910a041ac7bc592cd521cfc0e93ddf3 to your computer and use it in GitHub Desktop.
Zabbix selinux module
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| type=AVC msg=audit(1577757179.300:42106): avc: denied { create } for pid=1659 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757189.516:42111): avc: denied { create } for pid=1709 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757199.838:42116): avc: denied { create } for pid=1806 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757210.064:42121): avc: denied { create } for pid=1855 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757210.067:42122): avc: denied { create } for pid=1847 comm="zabbix_server" name="zabbix_server_alerter.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757220.320:42127): avc: denied { create } for pid=1909 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757230.529:42132): avc: denied { create } for pid=1951 comm="zabbix_server" name="zabbix_server_alerter.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757230.531:42133): avc: denied { create } for pid=1955 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757240.812:42138): avc: denied { create } for pid=2015 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757251.040:42143): avc: denied { create } for pid=2069 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757261.307:42148): avc: denied { create } for pid=2125 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757271.535:42153): avc: denied { create } for pid=2167 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757281.805:42158): avc: denied { create } for pid=2226 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757292.011:42163): avc: denied { create } for pid=2269 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757292.012:42164): avc: denied { create } for pid=2273 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757302.311:42169): avc: denied { create } for pid=2326 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757302.312:42170): avc: denied { create } for pid=2330 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757312.543:42175): avc: denied { create } for pid=2387 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757322.814:42180): avc: denied { create } for pid=2438 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757333.050:42185): avc: denied { create } for pid=2485 comm="zabbix_server" name="zabbix_server_alerter.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757343.313:42190): avc: denied { create } for pid=2540 comm="zabbix_server" name="zabbix_server_alerter.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757353.565:42195): avc: denied { create } for pid=2587 comm="zabbix_server" name="zabbix_server_alerter.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757363.809:42200): avc: denied { create } for pid=2651 comm="zabbix_server" name="zabbix_server_alerter.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757374.027:42205): avc: denied { create } for pid=2701 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757384.311:42210): avc: denied { create } for pid=2767 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757394.541:42215): avc: denied { create } for pid=2838 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757404.798:42220): avc: denied { create } for pid=2890 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757414.990:42225): avc: denied { create } for pid=2940 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757432.262:42230): avc: denied { create } for pid=3084 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757442.553:42235): avc: denied { create } for pid=3153 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757452.772:42240): avc: denied { create } for pid=3207 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757452.773:42241): avc: denied { create } for pid=3211 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757463.072:42246): avc: denied { create } for pid=3298 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757463.073:42247): avc: denied { create } for pid=3294 comm="zabbix_server" name="zabbix_server_alerter.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757473.338:42252): avc: denied { create } for pid=3353 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757473.343:42253): avc: denied { create } for pid=3357 comm="zabbix_server" name="zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757483.559:42258): avc: denied { create } for pid=3415 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 | |
| type=AVC msg=audit(1577757493.780:42263): avc: denied { create } for pid=3461 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0 |
Author
Author
Hi,
SELinux is generating lots of messages in /var/log/audit/audit.log file.
The idea is to look for "denied" messages and make them allowed.
For this there are some handy command line tools.
Code:
yum install policycoreutils-python
Now you can generate a custom SELinux policy file for Zabbix, e.g. zabbix_server_custom.
Code:
grep zabbix_t /var/log/audit/audit.log | audit2allow -M zabbix_server_custom
You can look at the contents of the created file in the current directory.
Load newly created Zabbix server policy module into the current SELinux policy.
Code:
semodule -i zabbix_server_custom.pp
Zabbix server might not be able to start properly due to still missing SELinux rules.
Repeat this set of commands at least three times and check the Zabbix server log after each of them. It is because every time a new SELinux rule is added Zabbix server gets a step further and gets logged into audit log. Thus it is possible to pick up new issues and add them to the custom SELinux policy.
Remove the policy files after they have been added successfully.
Code:
rm zabbix_server_custom.*
You may want to review these settings as well:
Code:
getsebool -a | grep zabbix
And permanently enable them if needed:
Code:
setsebool -P zabbix_can_network=1
Hope this helps
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://www.zabbix.com/forum/zabbix-help/367261-selinux-and-zabbix