1zabbix_selinux(8)            SELinux Policy zabbix           zabbix_selinux(8)
2
3
4

NAME

6       zabbix_selinux  -  Security  Enhanced  Linux Policy for the zabbix pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  zabbix  processes  via  flexible
11       mandatory access control.
12
13       The  zabbix  processes  execute with the zabbix_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep zabbix_t
20
21
22

ENTRYPOINTS

24       The  zabbix_t  SELinux  type  can be entered via the zabbix_exec_t file
25       type.
26
27       The default entrypoint paths for the zabbix_t domain are the following:
28
29       /usr/bin/zabbix_server,     /usr/sbin/zabbix_proxy,      /usr/sbin/zab‐
30       bix_server, /usr/sbin/zabbix_proxy_mysql, /usr/sbin/zabbix_proxy_pgsql,
31       /usr/sbin/zabbix_server_mysql,           /usr/sbin/zabbix_server_pgsql,
32       /usr/sbin/zabbix_proxy_sqlite3, /usr/sbin/zabbix_server_sqlite3
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       zabbix  policy  is  very  flexible allowing users to setup their zabbix
42       processes in as secure a method as possible.
43
44       The following process types are defined for zabbix:
45
46       zabbix_t, zabbix_agent_t, zabbix_script_t
47
48       Note: semanage permissive -a zabbix_t can be used to make  the  process
49       type  zabbix_t  permissive.  SELinux does not deny access to permissive
50       process types, but the AVC (SELinux denials) messages are still  gener‐
51       ated.
52
53

BOOLEANS

55       SELinux  policy is customizable based on least access required.  zabbix
56       policy is extremely flexible and has several booleans that allow you to
57       manipulate the policy and run zabbix with the tightest access possible.
58
59
60
61       If  you  want to determine whether zabbix can connect to all TCP ports,
62       you must turn on the zabbix_can_network boolean. Disabled by default.
63
64       setsebool -P zabbix_can_network 1
65
66
67
68       If you want to allow Zabbix to run su/sudo, you must turn on  the  zab‐
69       bix_run_sudo boolean. Disabled by default.
70
71       setsebool -P zabbix_run_sudo 1
72
73
74
75       If you want to allow all domains to execute in fips_mode, you must turn
76       on the fips_mode boolean. Enabled by default.
77
78       setsebool -P fips_mode 1
79
80
81

PORT TYPES

83       SELinux defines port types to represent TCP and UDP ports.
84
85       You can see the types associated with a port  by  using  the  following
86       command:
87
88       semanage port -l
89
90
91       Policy  governs  the  access  confined  processes  have to these ports.
92       SELinux zabbix policy is very flexible allowing users  to  setup  their
93       zabbix processes in as secure a method as possible.
94
95       The following port types are defined for zabbix:
96
97
98       zabbix_agent_port_t
99
100
101
102       Default Defined Ports:
103                 tcp 10050
104
105
106       zabbix_port_t
107
108
109
110       Default Defined Ports:
111                 tcp 10051
112

MANAGED FILES

114       The  SELinux  process  type  zabbix_t can manage files labeled with the
115       following file types.  The paths listed are the default paths for these
116       file types.  Note the processes UID still need to have DAC permissions.
117
118       cluster_conf_t
119
120            /etc/cluster(/.*)?
121
122       cluster_var_lib_t
123
124            /var/lib/pcsd(/.*)?
125            /var/lib/cluster(/.*)?
126            /var/lib/openais(/.*)?
127            /var/lib/pengine(/.*)?
128            /var/lib/corosync(/.*)?
129            /usr/lib/heartbeat(/.*)?
130            /var/lib/heartbeat(/.*)?
131            /var/lib/pacemaker(/.*)?
132
133       cluster_var_run_t
134
135            /var/run/crm(/.*)?
136            /var/run/cman_.*
137            /var/run/rsctmp(/.*)?
138            /var/run/aisexec.*
139            /var/run/heartbeat(/.*)?
140            /var/run/corosync-qnetd(/.*)?
141            /var/run/corosync-qdevice(/.*)?
142            /var/run/corosync.pid
143            /var/run/cpglockd.pid
144            /var/run/rgmanager.pid
145            /var/run/cluster/rgmanager.sk
146
147       faillog_t
148
149            /var/log/btmp.*
150            /var/log/faillog.*
151            /var/log/tallylog.*
152            /var/run/faillock(/.*)?
153
154       lastlog_t
155
156            /var/log/lastlog.*
157
158       root_t
159
160            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
161            /
162            /initrd
163
164       security_t
165
166            /selinux
167
168       zabbix_log_t
169
170            /var/log/zabbix.*
171
172       zabbix_tmpfs_t
173
174
175       zabbix_var_lib_t
176
177            /var/lib/zabbix(/.*)?
178            /var/lib/zabbixsrv(/.*)?
179
180       zabbix_var_run_t
181
182            /var/run/zabbix(/.*)?
183
184

FILE CONTEXTS

186       SELinux requires files to have an extended attribute to define the file
187       type.
188
189       You can see the context of a file using the -Z option to ls
190
191       Policy governs the access  confined  processes  have  to  these  files.
192       SELinux  zabbix  policy  is very flexible allowing users to setup their
193       zabbix processes in as secure a method as possible.
194
195       EQUIVALENCE DIRECTORIES
196
197
198       zabbix policy stores data with multiple different  file  context  types
199       under  the  /var/lib/zabbix  directory.  If you would like to store the
200       data in a different directory you can use the semanage command to  cre‐
201       ate an equivalence mapping.  If you wanted to store this data under the
202       /srv directory you would execute the following command:
203
204       semanage fcontext -a -e /var/lib/zabbix /srv/zabbix
205       restorecon -R -v /srv/zabbix
206
207       STANDARD FILE CONTEXT
208
209       SELinux defines the file context types for the zabbix, if you wanted to
210       store  files  with  these types in a diffent paths, you need to execute
211       the semanage command  to  sepecify  alternate  labeling  and  then  use
212       restorecon to put the labels on disk.
213
214       semanage fcontext -a -t zabbix_var_run_t '/srv/myzabbix_content(/.*)?'
215       restorecon -R -v /srv/myzabbix_content
216
217       Note:  SELinux  often  uses  regular expressions to specify labels that
218       match multiple files.
219
220       The following file types are defined for zabbix:
221
222
223
224       zabbix_agent_exec_t
225
226       - Set files with the zabbix_agent_exec_t type, if you want  to  transi‐
227       tion an executable to the zabbix_agent_t domain.
228
229
230       Paths:
231            /usr/bin/zabbix_agentd, /usr/sbin/zabbix_agentd
232
233
234       zabbix_agent_initrc_exec_t
235
236       -  Set  files  with the zabbix_agent_initrc_exec_t type, if you want to
237       transition an executable to the zabbix_agent_initrc_t domain.
238
239
240
241       zabbix_exec_t
242
243       - Set files with the zabbix_exec_t type, if you want to  transition  an
244       executable to the zabbix_t domain.
245
246
247       Paths:
248            /usr/bin/zabbix_server,   /usr/sbin/zabbix_proxy,   /usr/sbin/zab‐
249            bix_server,      /usr/sbin/zabbix_proxy_mysql,      /usr/sbin/zab‐
250            bix_proxy_pgsql,   /usr/sbin/zabbix_server_mysql,   /usr/sbin/zab‐
251            bix_server_pgsql,  /usr/sbin/zabbix_proxy_sqlite3,  /usr/sbin/zab‐
252            bix_server_sqlite3
253
254
255       zabbix_initrc_exec_t
256
257       -  Set files with the zabbix_initrc_exec_t type, if you want to transi‐
258       tion an executable to the zabbix_initrc_t domain.
259
260
261
262       zabbix_log_t
263
264       - Set files with the zabbix_log_t type, if you want to treat  the  data
265       as zabbix log data, usually stored under the /var/log directory.
266
267
268
269       zabbix_script_exec_t
270
271       -  Set files with the zabbix_script_exec_t type, if you want to transi‐
272       tion an executable to the zabbix_script_t domain.
273
274
275       Paths:
276            /usr/lib/zabbix/externalscripts(/.*)?,      /var/lib/zabbix/exter‐
277            nalscripts(/.*)?
278
279
280       zabbix_tmp_t
281
282       -  Set  files  with  the zabbix_tmp_t type, if you want to store zabbix
283       temporary files in the /tmp directories.
284
285
286
287       zabbix_tmpfs_t
288
289       - Set files with the zabbix_tmpfs_t type, if you want to  store  zabbix
290       files on a tmpfs file system.
291
292
293
294       zabbix_var_lib_t
295
296       -  Set  files  with the zabbix_var_lib_t type, if you want to store the
297       zabbix files under the /var/lib directory.
298
299
300       Paths:
301            /var/lib/zabbix(/.*)?, /var/lib/zabbixsrv(/.*)?
302
303
304       zabbix_var_run_t
305
306       - Set files with the zabbix_var_run_t type, if you want  to  store  the
307       zabbix files under the /run or /var/run directory.
308
309
310
311       zabbixd_var_lib_t
312
313       -  Set  files with the zabbixd_var_lib_t type, if you want to store the
314       zabbixd files under the /var/lib directory.
315
316
317
318       Note: File context can be temporarily modified with the chcon  command.
319       If  you want to permanently change the file context you need to use the
320       semanage fcontext command.  This will modify the SELinux labeling data‐
321       base.  You will need to use restorecon to apply the labels.
322
323

COMMANDS

325       semanage  fcontext  can also be used to manipulate default file context
326       mappings.
327
328       semanage permissive can also be used to manipulate  whether  or  not  a
329       process type is permissive.
330
331       semanage  module can also be used to enable/disable/install/remove pol‐
332       icy modules.
333
334       semanage port can also be used to manipulate the port definitions
335
336       semanage boolean can also be used to manipulate the booleans
337
338
339       system-config-selinux is a GUI tool available to customize SELinux pol‐
340       icy settings.
341
342

AUTHOR

344       This manual page was auto-generated using sepolicy manpage .
345
346

SEE ALSO

348       selinux(8),  zabbix(8),  semanage(8),  restorecon(8),  chcon(1), sepol‐
349       icy(8), setsebool(8), zabbix_agent_selinux(8), zabbix_agent_selinux(8),
350       zabbix_script_selinux(8), zabbix_script_selinux(8)
351
352
353
354zabbix                             20-05-05                  zabbix_selinux(8)
Impressum