If you have the task to install and use zabbix-agent or zabbix-proxy to report to zabbix-server on CentOS 7 with enabled SeLinux services for security reasons and you have no mean to disable the selinux which is a common step to take under this circumstances, you will have to add the zabbix services to be exluded as permissive in selinux. In below article I'll show you how this is done in few easy steps.
1. Check the system sestatus
[root@linux zabbix]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
2. Enable zabbix to be permissive in selinux
To be able to set zabbix to be in permissive mode as well as for further troubleshooting if you have to enable other linux services inside selinux you have to install below RPM packs.
[root@linux zabbix]# yum install setroubleshoot.x86_64 setools.x86_64 setools-console.x86_64 policycoreutils-python.x86_64
Set the zabbix permissive exclude rule in SeLINUX
[root@linux zabbix]# semanage permissive –add zabbix_t
Re-run the zabbix proxy (if you have a local zabbix-proxy running and the zabbix-agent)
[root@linux zabbix]# systemctl start zabbix-proxy.service
[root@linux zabbix]# systemctl start zabbix-agent.service
[root@linux zabbix]# systemctl status zabbix-agent
● zabbix-agent.service – Zabbix Agent
Loaded: loaded (/usr/lib/systemd/system/zabbix-agent.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-10-18 09:30:16 CEST; 1 day 7h ago
Main PID: 962952 (zabbix_agentd)
Tasks: 6 (limit: 100884)
Memory: 5.1M
CGroup: /system.slice/zabbix-agent.service
├─962952 /usr/sbin/zabbix_agentd -c /etc/zabbix/zabbix_agentd.conf
├─962955 /usr/sbin/zabbix_agentd: collector [idle 1 sec]
├─962956 /usr/sbin/zabbix_agentd: listener #1 [waiting for connection]
├─962957 /usr/sbin/zabbix_agentd: listener #2 [waiting for connection]
├─962958 /usr/sbin/zabbix_agentd: listener #3 [waiting for connection]
└─962959 /usr/sbin/zabbix_agentd: active checks #1 [idle 1 sec]Oct 18 09:30:16 linux systemd[1]: Starting Zabbix Agent…
Oct 18 09:30:16 linux systemd[1]: Started Zabbix Agent.
3. Check inside audit logs all is OK
To make sure zabbix is really enabled to be omitted by selinux rules check audit.log
[root@linux zabbix]# grep zabbix_proxy /var/log/audit/audit.log
That's all folks, Enjoy ! 🙂
More helpful Articles
Tags: active, centos 7, checks, enable, howto, linux?, Mode, Oct, permissive, sbin, selinux, systemctl, usr, work, zabbix-agent, zabbix-proxy
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
it's a bad idea to be telling people to disable selinux.
View CommentView Commentmuch better to tell them how to set the right contexts so that things aren't blocked.