SELinux blocking sudo from zabbix_agentd

sudo centos selinux zabbix

The way to handle this is to collect all the information about what access the program needs, and then explicitly allow only that access in a custom policy module.

This is fairly easy to do.

First, you set the domain permissive, so that SELinux temporarily does not enforce its rules. It will still log the denials, and later you will use these logs.

semanage permissive -a zabbix_agent_t

Next, let the program run and let it do whatever it needs to do. The audit log will fill up with what would have been denied, and these logs also show what permissions will need to be granted. Then view these logs with ausearch.

ausearch -r -m avc -ts today

We'll generate a local policy module containing the necessary permissions. (You need to use the -r option with ausearch here so that the output can be processed by other scripts.)

If you saw clearly irrelevant entries, redirect the output to a file, and then edit it to remove them. Then use the file here instead.

ausearch -r -m avc -ts today | audit2allow -M zabbix_megacli

Finally, we install our new local policy module and re-enable SELinux enforcement.

semodule -i zabbix_megacli.pp
semanage permissive -d zabbix_agent_t

Related

Upgrade Centos 5 tot PHP 5.2 or 5.3 [recommended way?]
SQL Server licensing, is it per CPU? So a 32 CPU would mean like 150K in licensing? [closed]
Monitor ESXi hosts with Nagios
Rebuild Fedora 19 ISO adding Kickstart for USB install
How to prevent autofs from mounting over specific directories?
Remote PowerShell, WinRM Failures: WinRM cannot complete the operation
Best practice to disable SpeedStep for Hyper-V hosts?
application monitoring tools
HAProxy not passing SSL traffic in TCP mode (unknown protocol)
What are the implications of expanding an internal subnet mask?
Adding new root/enterprise CA without disturbing existing one?
Ubuntu server 9.10 freezes up after ~10 minutes