There are others out there using zabbix who have run into the same SElinux difficulties as myself. Many people will say “just disable SElinux”. But if you don’t want to do that, here’s how you make it work.
- Install the zabbix repo for yum: rpm -Uvh https://repo.zabbix.com/zabbix/3.2/rhel/7/x86_64/zabbix-release-3.2-1.el7.noarch.rpm
- Install the zabbix agent: yum install zabbix-agent
- Install the SElinux policy core utilities: yum install policycoreutils-python
- Edit your zabbix config file: vi /etc/zabbix/zabbix_agentd.conf
(Yes, you have to use vi. Or else. Just learn it already. Vi is AMAZING.) - Edit your zabbix systemd startup because it’s currently broken and the PID file is pointing at /run instead of /var/run: vi /usr/lib/systemd/system/zabbix-agent.service
(Doooo itttt!) - Reload systemd, the bane of all sensible unix people: systemctl daemon-reload
- Enable zabbix-agent: systemctl enable zabbix-agent
- Start and watch zabbix-agent fail: systemctl start zabbix-agent
(There’s a reason for this) - Gather the failure messages from the audit log (why 8 is necessary) and pipe it through audit2allow: grep “denied.*zabbix_agent” /var/log/audit/audit.log | audit2allow -M zabbix_agent
- Add the policy info to SElinux: semodule -i zabbix_agent.pp
- Start zabbix and make it sing: systemctl start zabbix-agent
Enjoy.
7 comments
Great article, really clear and accurate with but one remark:
grep “denied.*zabbix_agent” /var/log/audit/audit.log | audit2allow -M zabbix_agent
uses the wrong quotation marks when copy/pasting. Should be:
grep “denied.*zabbix_agent” /var/log/audit/audit.log | audit2allow -M zabbix_agent
grep “denied. * Zabbix_agent” /var/log/audit/audit.log | audit2allow -M zabbix_agent
Nothing to do
So if you run the first part, the:
grep “denied. * Zabbix_agent” /var/log/audit/audit.log
And you get no results – then my guess is that you haven’t started zabbix yet or selinux didn’t cause any problems with it loading. The audit log will show failures and blocks associated with it. Piping that through audit2allow will output a policy file to adjust and allow those actions.
Try starting zabbix and see if anything shows up there. Good luck!
Thank you, it worked
/var/run is a lnik to /run
so u dont have to Doooo itttttt!
That actually depends on your platform. If you don’t need to then you’re fine but in case the link doesn’t exist some will have to create it.
Amazing, worked like a charm. No experience with SElinux so this helped alot.
Thanks to Bert for the tip on the quotes too as it might have taken some more time to get to it.
Regards!