Last active
October 21, 2022 23:23
-
-
Save CHERTS/c7448b81cff40b088a77867b2b5ec382 to your computer and use it in GitHub Desktop.
Zabbix on CentOS 8 with SELinux
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If you're running the Zabbix on CentOS 8 with SELinux enabled on it, then you must do all command on this section. | |
| Install SELinux utilities using the dnf command below. | |
| dnf install policycoreutils checkpolicy setroubleshoot-server | |
| Once the installation is complete, create a new directory '~/zabbix-linux' and go into it. | |
| mkdir -p ~/zabbix-selinux | |
| cd ~/zabbix-selinux/ | |
| Now create a new SELinux policy module file 'zabbix_server_add.te' using vim editor. | |
| vim zabbix_server_add.te | |
| Paste the following configuration. | |
| Now convert the 'zabbix_server_add.te' into the policy module using the checkmodule command below. | |
| checkmodule -M -m -o zabbix_server_add.mod zabbix_server_add.te | |
| Now compile the policy module 'zabbix_server_add.mod' using the semodule_package command. | |
| semodule_package -m zabbix_server_add.mod -o zabbix_server_add.pp | |
| After that, load the compiled policy module 'zabbix_server_add.pp' to the system. | |
| semodule -i zabbix_server_add.pp | |
| The local custom policy module for Zabbix has been loaded. | |
| Next, for additional SELinux configuration. Run the setsbool command below. | |
| setsebool -P httpd_can_network_connect 1 | |
| setsebool -P httpd_can_connect_zabbix 1 | |
| setsebool zabbix_can_network on | |
| And the SELinux configuration for Zabbix has been completed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module zabbix_server_add 1.1; | |
| require { | |
| type zabbix_var_run_t; | |
| type tmp_t; | |
| type zabbix_t; | |
| class sock_file { create unlink write }; | |
| class unix_stream_socket connectto; | |
| class process setrlimit; | |
| class capability dac_override; | |
| } | |
| #============= zabbix_t ============== | |
| #!!!! This avc is allowed in the current policy | |
| allow zabbix_t self:process setrlimit; | |
| #!!!! This avc is allowed in the current policy | |
| allow zabbix_t self:unix_stream_socket connectto; | |
| #!!!! This avc is allowed in the current policy | |
| allow zabbix_t tmp_t:sock_file { create unlink write }; | |
| #!!!! This avc is allowed in the current policy | |
| allow zabbix_t zabbix_var_run_t:sock_file { create unlink write }; | |
| #!!!! This avc is allowed in the current policy | |
| allow zabbix_t self:capability dac_override; |
@danielAlbuquerque I noticed that Zabbix 6 also requires some changes, at least on my side.
Could I share?
@DennisAnaniev please, if you do some changes in Zabbix 6, could you share me? Because I did that described above but it doesn't work with Centos 8 and Zabbix 6.
Thank you and thank you CHERTS
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks!