1zabbix_agent_selinux(8) SELinux Policy zabbix_agent zabbix_agent_selinux(8)
2
3
4
6 zabbix_agent_selinux - Security Enhanced Linux Policy for the zab‐
7 bix_agent processes
8
10 Security-Enhanced Linux secures the zabbix_agent processes via flexible
11 mandatory access control.
12
13 The zabbix_agent processes execute with the zabbix_agent_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep zabbix_agent_t
20
21
22
24 The zabbix_agent_t SELinux type can be entered via the zab‐
25 bix_agent_exec_t file type.
26
27 The default entrypoint paths for the zabbix_agent_t domain are the fol‐
28 lowing:
29
30 /usr/bin/zabbix_agentd, /usr/sbin/zabbix_agentd
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 zabbix_agent policy is very flexible allowing users to setup their zab‐
40 bix_agent processes in as secure a method as possible.
41
42 The following process types are defined for zabbix_agent:
43
44 zabbix_agent_t
45
46 Note: semanage permissive -a zabbix_agent_t can be used to make the
47 process type zabbix_agent_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
51
53 SELinux policy is customizable based on least access required. zab‐
54 bix_agent policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run zabbix_agent with the tight‐
56 est access possible.
57
58
59
60 If you want to dontaudit all daemons scheduling requests (setsched,
61 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
62 Enabled by default.
63
64 setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow system to run with NIS, you must turn on the
76 nis_enabled boolean. Disabled by default.
77
78 setsebool -P nis_enabled 1
79
80
81
82 If you want to allow Zabbix to run su/sudo, you must turn on the zab‐
83 bix_run_sudo boolean. Disabled by default.
84
85 setsebool -P zabbix_run_sudo 1
86
87
88
90 SELinux defines port types to represent TCP and UDP ports.
91
92 You can see the types associated with a port by using the following
93 command:
94
95 semanage port -l
96
97
98 Policy governs the access confined processes have to these ports.
99 SELinux zabbix_agent policy is very flexible allowing users to setup
100 their zabbix_agent processes in as secure a method as possible.
101
102 The following port types are defined for zabbix_agent:
103
104
105 zabbix_agent_port_t
106
107
108
109 Default Defined Ports:
110 tcp 10050
111
113 The SELinux process type zabbix_agent_t can manage files labeled with
114 the following file types. The paths listed are the default paths for
115 these file types. Note the processes UID still need to have DAC per‐
116 missions.
117
118 cluster_conf_t
119
120 /etc/cluster(/.*)?
121
122 cluster_var_lib_t
123
124 /var/lib/pcsd(/.*)?
125 /var/lib/cluster(/.*)?
126 /var/lib/openais(/.*)?
127 /var/lib/pengine(/.*)?
128 /var/lib/corosync(/.*)?
129 /usr/lib/heartbeat(/.*)?
130 /var/lib/heartbeat(/.*)?
131 /var/lib/pacemaker(/.*)?
132
133 cluster_var_run_t
134
135 /var/run/crm(/.*)?
136 /var/run/cman_.*
137 /var/run/rsctmp(/.*)?
138 /var/run/aisexec.*
139 /var/run/heartbeat(/.*)?
140 /var/run/pcsd-ruby.socket
141 /var/run/corosync-qnetd(/.*)?
142 /var/run/corosync-qdevice(/.*)?
143 /var/run/corosync.pid
144 /var/run/cpglockd.pid
145 /var/run/rgmanager.pid
146 /var/run/cluster/rgmanager.sk
147
148 faillog_t
149
150 /var/log/btmp.*
151 /var/log/faillog.*
152 /var/log/tallylog.*
153 /var/run/faillock(/.*)?
154
155 krb5_host_rcache_t
156
157 /var/tmp/krb5_0.rcache2
158 /var/cache/krb5rcache(/.*)?
159 /var/tmp/nfs_0
160 /var/tmp/DNS_25
161 /var/tmp/host_0
162 /var/tmp/imap_0
163 /var/tmp/HTTP_23
164 /var/tmp/HTTP_48
165 /var/tmp/ldap_55
166 /var/tmp/ldap_487
167 /var/tmp/ldapmap1_0
168
169 lastlog_t
170
171 /var/log/lastlog.*
172
173 root_t
174
175 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
176 /
177 /initrd
178
179 security_t
180
181 /selinux
182
183 zabbix_log_t
184
185 /var/log/zabbix.*
186
187 zabbix_tmpfs_t
188
189
190 zabbix_var_run_t
191
192 /var/run/zabbix(/.*)?
193
194
196 SELinux requires files to have an extended attribute to define the file
197 type.
198
199 You can see the context of a file using the -Z option to ls
200
201 Policy governs the access confined processes have to these files.
202 SELinux zabbix_agent policy is very flexible allowing users to setup
203 their zabbix_agent processes in as secure a method as possible.
204
205 STANDARD FILE CONTEXT
206
207 SELinux defines the file context types for the zabbix_agent, if you
208 wanted to store files with these types in a different paths, you need
209 to execute the semanage command to specify alternate labeling and then
210 use restorecon to put the labels on disk.
211
212 semanage fcontext -a -t zabbix_agent_exec_t '/srv/zabbix_agent/con‐
213 tent(/.*)?'
214 restorecon -R -v /srv/myzabbix_agent_content
215
216 Note: SELinux often uses regular expressions to specify labels that
217 match multiple files.
218
219 The following file types are defined for zabbix_agent:
220
221
222
223 zabbix_agent_exec_t
224
225 - Set files with the zabbix_agent_exec_t type, if you want to transi‐
226 tion an executable to the zabbix_agent_t domain.
227
228
229 Paths:
230 /usr/bin/zabbix_agentd, /usr/sbin/zabbix_agentd
231
232
233 zabbix_agent_initrc_exec_t
234
235 - Set files with the zabbix_agent_initrc_exec_t type, if you want to
236 transition an executable to the zabbix_agent_initrc_t domain.
237
238
239
240 Note: File context can be temporarily modified with the chcon command.
241 If you want to permanently change the file context you need to use the
242 semanage fcontext command. This will modify the SELinux labeling data‐
243 base. You will need to use restorecon to apply the labels.
244
245
247 semanage fcontext can also be used to manipulate default file context
248 mappings.
249
250 semanage permissive can also be used to manipulate whether or not a
251 process type is permissive.
252
253 semanage module can also be used to enable/disable/install/remove pol‐
254 icy modules.
255
256 semanage port can also be used to manipulate the port definitions
257
258 semanage boolean can also be used to manipulate the booleans
259
260
261 system-config-selinux is a GUI tool available to customize SELinux pol‐
262 icy settings.
263
264
266 This manual page was auto-generated using sepolicy manpage .
267
268
270 selinux(8), zabbix_agent(8), semanage(8), restorecon(8), chcon(1), se‐
271 policy(8), setsebool(8)
272
273
274
275zabbix_agent 23-12-15 zabbix_agent_selinux(8)