ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-11631

Zabbix should install a SELinux policy to allow disabling of core dumps

    Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Critical Critical
    • Resolution: Unresolved
    • Affects Version/s: 3.0.6
    • Fix Version/s: None
    • Component/s: Installation (I)
    • Labels:
    • Environment:
      CentOS 7.3

      Description

      As a follow-up to ZBX-10542 and ZBX-10086 (and possible more duplicate reports) I suggest the following:

      • include a SELinux policy to allow disabling of core dumps in ALL RedHat/CentOS packages
      • enable the SELinux policy by default

      Otherwise Zabbix products won't work on these platforms out of the box.

      The documentation already points to this requirement, so why not fix the issue by providing the required SELinux policy?

        Issue Links

          Activity

          Hide
          Frank Wall added a comment -

          Note that I've verified this issue only for Zabbix Agent, but according to other user reports this affects most/all Zabbix products.

          Show
          Frank Wall added a comment - Note that I've verified this issue only for Zabbix Agent , but according to other user reports this affects most/all Zabbix products.
          Hide
          Frank Wall added a comment -

          FYI, installing the following SELinux module fixed the issue for Zabbix Agent:

          module zabbix_agent_setrlimit 1.0;
          
          require {
              type zabbix_agent_t;
              class process setrlimit;
          }
          
          #============= zabbix_agent_t ==============
          allow zabbix_agent_t self:process setrlimit;
          

          A similar SELinux module should be provided for every Zabbix product and automatically be installed/activated.

          Show
          Frank Wall added a comment - FYI, installing the following SELinux module fixed the issue for Zabbix Agent: module zabbix_agent_setrlimit 1.0; require { type zabbix_agent_t; class process setrlimit; } #============= zabbix_agent_t ============== allow zabbix_agent_t self:process setrlimit; A similar SELinux module should be provided for every Zabbix product and automatically be installed/activated.
          Hide
          agris added a comment -

          workaround centos 7.3

          1. yum install policycoreutils-python

          server:
          cat /var/log/audit/audit.log | grep zabbix_agentd | grep denied | audit2allow -M zabbix_agent_setrlimit
          semodule -i zabbix_agent_setrlimit.pp

          agent:
          cat /var/log/audit/audit.log | grep zabbix_server | grep denied | audit2allow -M zabbix_server_setrlimit
          semodule -i zabbix_server_setrlimit.pp

          Show
          agris added a comment - workaround centos 7.3 yum install policycoreutils-python server: cat /var/log/audit/audit.log | grep zabbix_agentd | grep denied | audit2allow -M zabbix_agent_setrlimit semodule -i zabbix_agent_setrlimit.pp agent: cat /var/log/audit/audit.log | grep zabbix_server | grep denied | audit2allow -M zabbix_server_setrlimit semodule -i zabbix_server_setrlimit.pp
          Hide
          Frank Wall added a comment -

          @agris: This isn't really helpful. This ticket is NOT about workarounds, but instead about a real solution. Workarounds have already been posted in one of the linked issues.

          Show
          Frank Wall added a comment - @agris: This isn't really helpful. This ticket is NOT about workarounds, but instead about a real solution. Workarounds have already been posted in one of the linked issues.
          Hide
          Stefan Radman added a comment -

          Here is another thing the policy should cover:
          SELinux keeps zabbix server from killing external scripts that have been running too long.

          That's what happens:

          [root@zabbix ~]# fgrep 'failed to kill' /var/log/zabbix/zabbix_server.log | tail -1
           89866:20170117:054115.944 failed to kill [/usr/lib/zabbix/externalscripts/cellinfo2 "10.10.10.10" "LTESINR"]: [13] Permission denied
          [root@zabbix ~]# cat /var/log/audit/audit.log | grep zabbix | grep denied | tail -1
          type=AVC msg=audit(1484660309.035:83396): avc:  denied  { signal } for  pid=89863 comm="zabbix_server" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=process
          

          And here is what a zabbix policy would have to allow:

          [root@zabbix ~]# cat /var/log/audit/audit.log | grep zabbix | grep denied | tail -1 | audit2allow
          
          #============= zabbix_t ==============
          allow zabbix_t zabbix_script_t:process signal;
          
          Show
          Stefan Radman added a comment - Here is another thing the policy should cover: SELinux keeps zabbix server from killing external scripts that have been running too long. That's what happens: [root@zabbix ~]# fgrep 'failed to kill' / var /log/zabbix/zabbix_server.log | tail -1 89866:20170117:054115.944 failed to kill [/usr/lib/zabbix/externalscripts/cellinfo2 "10.10.10.10" "LTESINR" ]: [13] Permission denied [root@zabbix ~]# cat / var /log/audit/audit.log | grep zabbix | grep denied | tail -1 type=AVC msg=audit(1484660309.035:83396): avc: denied { signal } for pid=89863 comm= "zabbix_server" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=process And here is what a zabbix policy would have to allow: [root@zabbix ~]# cat / var /log/audit/audit.log | grep zabbix | grep denied | tail -1 | audit2allow #============= zabbix_t ============== allow zabbix_t zabbix_script_t:process signal;

            People

            • Assignee:
              Unassigned
              Reporter:
              Frank Wall
            • Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated: