-
Problem report
-
Resolution: Incomplete
-
Trivial
-
None
-
6.2.1
-
None
-
Zabbix Server 6.2.1
Red Hat 8.5
Steps to reproduce:
1.) Install Zabbix Server 6.2.1 on RHEL 8.5 as outlined in the installation guide and includes the zabbix-selinux-policy : [https://www.zabbix.com/download?zabbix=6.0&os_distribution=red_hat_enterprise_linux&os_version=8&db=postgresql&ws=nginx|Install guide] (RHEL authentication with SSSD)
2.) Configure your sudoers files for zabbix:
# cat /etc/sudoers.d/zabbix Defaults:zabbix !requiretty Cmnd_Alias ZABBIX_CMD = /usr/bin/nmap -O * zabbix ALL=(other_user) NOPASSWD: ALL zabbix ALL=(root) NOPASSWD: ZABBIX_CMD
3.) Install nmap and traceroute locally
# dnf install nmap traceroute
4.) Add hosts with zabbix active agent 2 (Not really needed you can test on the server itself)
5.) Go to Monitoring > Hosts attempt to run nmap or traceroute you will get multiple issues.
6.) To fix it you will need to:
semodule -DB
Reproduce issue
ausearch --raw | audit2allow -M zabbix
semodule -i zabbix.pp
...
semodule -B
Result:
Unable to run nmap / traceroute.
audit.log / secure / message fills with SELinux errors.
Following booleans seems to cover some of them only:
!!!! This avc can be allowed using the boolean 'zabbix_run_sudo'
allow zabbix_t sudo_exec_t:file getattr;
This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow zabbix_t kernel_t:system module_request;
This avc can be allowed using the boolean 'domain_can_mmap_files'
allow zabbix_t traceroute_exec_t:file map;
These booleans are also required:
setsebool -P zabbix_can_network 1; setsebool -P httpd_can_connect_zabbix 1; setsebool -P httpd_can_network_connect 1;
Excerpt of some errors reported (I did not log all the errors but that's an example):
Sep 9 11:33:00 setroubleshoot[2647]: SELinux is preventing /usr/bin/sudo from read access on the file utmp. Sep 9 11:33:52 setroubleshoot[2770]: SELinux is preventing sudo from create access on the netlink_audit_socket labeled zabbix_t Sep 9 11:35:57 setroubleshoot[2884]: SELinux is preventing sudo from execute_no_trans access on the file /usr/sbin/unix_chkpwd Sep 9 11:35:55 setroubleshoot[2884]: SELinux is preventing /usr/bin/sudo from read access on the file sssd.conf. Sep 9 11:35:57 setroubleshoot[2884]: SELinux is preventing sudo from execute_no_trans access on the file /usr/sbin/unix_chkpwd Sep 9 11:36:12 setroubleshoot[2923]: SELinux is preventing sudo from open access on the file /run/utmp Sep 9 11:38:16 setroubleshoot[3050]: SELinux is preventing /usr/bin/sudo from open access on the file /etc/sssd/sssd.conf Sep 9 11:38:18 setroubleshoot[3050]: SELinux is preventing unix_chkpwd from map access on the file /usr/sbin/unix_chkpwd
/var/log/secure Sep 9 12:54:16 sudo[4002]: zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/nmap -O 10.22.22.22 Sep 9 12:54:16 systemd[4006]: pam_unix(systemd-user:session): session opened for user root by (uid=0)Sep 9 12:54:16 sudo[4002]: pam_systemd(sudo:session): Failed to stat() runtime directory '/run/user/0': Permission denied Sep 9 12:54:16 sudo[4002]: pam_systemd(sudo:session): Not setting $XDG_RUNTIME_DIR, as the directory is not in order.
Expected:
Install instructions should state what SELinux booleans are required and/or zabbix-selinux policy needs to be updated to include missing selinux rules.
As per the errors, I had to create the following policy which includes almost every selinux error encountered after the installation:
require
{ type httpd_t; type oddjob_mkhomedir_t; type var_lib_t; type system_dbusd_t; type setroubleshootd_t; type unconfined_service_t; type init_t; type initrc_t; type chkpwd_t; type unconfined_t; type zabbix_t; type chkpwd_exec_t; type initrc_var_run_t; type kernel_t; type shadow_t; type sssd_conf_t; type sudo_exec_t; type traceroute_exec_t; type user_tmp_t; class dir \{ add_name write search getattr }
;
class file { open read map lock execute execute_no_trans getattr };
class netlink_audit_socket { read write create nlmsg_relay };
class capability { audit_write sys_admin net_admin net_raw };
class rawip_socket { write create setopt };
class netlink_rdma_socket { read write bind create getattr setopt };
class packet_socket { read write bind create getopt ioctl map setopt };
class system module_request;
class process { noatsecure rlimitinh siginh };
}
#============= httpd_t ==============
allow httpd_t self:capability net_admin;
#============= oddjob_mkhomedir_t ==============
allow oddjob_mkhomedir_t var_lib_t:dir { add_name write };
#============= system_dbusd_t ==============
allow system_dbusd_t self:capability net_admin;
allow system_dbusd_t setroubleshootd_t:process { noatsecure rlimitinh siginh };
allow system_dbusd_t unconfined_service_t:process { noatsecure rlimitinh siginh };
#============= init_t ==============
allow init_t initrc_t:process siginh;
allow init_t chkpwd_t:process siginh;
allow init_t unconfined_t:process siginh;
#============= zabbix_t ==============
allow zabbix_t chkpwd_exec_t:file { open read map execute_no_trans };
allow zabbix_t initrc_var_run_t:file { open read lock };
allow zabbix_t kernel_t:system module_request;
allow zabbix_t self:capability { audit_write sys_admin net_admin net_raw };
allow zabbix_t self:netlink_audit_socket { read write create nlmsg_relay };
allow zabbix_t self:netlink_rdma_socket { read write bind create getattr setopt };
allow zabbix_t self:packet_socket { read write bind create getopt ioctl map setopt };
allow zabbix_t self:rawip_socket { write create setopt };
allow zabbix_t shadow_t:file { open read getattr };
allow zabbix_t sssd_conf_t:dir search;
allow zabbix_t sssd_conf_t:file { open read getattr };
allow zabbix_t sudo_exec_t:file { execute getattr };
allow zabbix_t traceroute_exec_t:file { open read map execute execute_no_trans getattr };
allow zabbix_t user_tmp_t:dir { getattr search };