Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-21625

SELinux issues with Zabbix 6.2.1 / RHEL 8.5

    XMLWordPrintable

Details

    • Problem report
    • Status: Open
    • Trivial
    • Resolution: Unresolved
    • 6.2.1
    • None
    • Server (S)
    • None
    • Zabbix Server 6.2.1
      Red Hat 8.5

    Description

      Steps to reproduce:

      1.) Install Zabbix Server 6.2.1 on RHEL 8.5 as outlined in the installation guide and includes the zabbix-selinux-policy : [https://www.zabbix.com/download?zabbix=6.0&os_distribution=red_hat_enterprise_linux&os_version=8&db=postgresql&ws=nginx|Install guide] (RHEL authentication with SSSD)

      2.) Configure your sudoers files for zabbix:

       

      # cat /etc/sudoers.d/zabbix 
      Defaults:zabbix !requiretty
      Cmnd_Alias ZABBIX_CMD = /usr/bin/nmap -O *
      zabbix  ALL=(other_user)  NOPASSWD: ALL
      zabbix  ALL=(root)        NOPASSWD: ZABBIX_CMD

      3.) Install nmap and traceroute locally

      # dnf install nmap traceroute

       

      4.) Add hosts with zabbix active agent 2 (Not really needed you can test on the server itself)

      5.) Go to Monitoring > Hosts attempt to run nmap or traceroute you will get multiple issues.

      6.) To fix it you will need to:

      semodule -DB
      Reproduce issue
      ausearch --raw | audit2allow -M zabbix
      semodule -i zabbix.pp

      ...

      semodule -B

       

      Result:
      Unable to run nmap / traceroute.
      audit.log / secure / message fills with SELinux errors.

      Following booleans seems to cover some of them only:

      !!!! This avc can be allowed using the boolean 'zabbix_run_sudo'
      allow zabbix_t sudo_exec_t:file getattr;

      This avc can be allowed using the boolean 'domain_kernel_load_modules'
      allow zabbix_t kernel_t:system module_request;

      This avc can be allowed using the boolean 'domain_can_mmap_files'
      allow zabbix_t traceroute_exec_t:file map;

       

      These booleans are also required:

      setsebool -P zabbix_can_network 1;
      setsebool -P httpd_can_connect_zabbix 1;
      setsebool -P httpd_can_network_connect 1; 

       

      Excerpt of some errors reported (I did not log all the errors but that's an example):

       

      Sep  9 11:33:00  setroubleshoot[2647]: SELinux is preventing /usr/bin/sudo from read access on the file utmp.
      
      Sep  9 11:33:52  setroubleshoot[2770]: SELinux is preventing sudo from create access on the netlink_audit_socket labeled zabbix_t
      
      Sep  9 11:35:57  setroubleshoot[2884]: SELinux is preventing sudo from execute_no_trans access on the file /usr/sbin/unix_chkpwd
      
      Sep  9 11:35:55  setroubleshoot[2884]: SELinux is preventing /usr/bin/sudo from read access on the file sssd.conf.
      
      Sep  9 11:35:57  setroubleshoot[2884]: SELinux is preventing sudo from execute_no_trans access on the file /usr/sbin/unix_chkpwd
      
      Sep  9 11:36:12  setroubleshoot[2923]: SELinux is preventing sudo from open access on the file /run/utmp
      
      Sep  9 11:38:16  setroubleshoot[3050]: SELinux is preventing /usr/bin/sudo from open access on the file /etc/sssd/sssd.conf
      
      Sep  9 11:38:18  setroubleshoot[3050]: SELinux is preventing unix_chkpwd from map access on the file /usr/sbin/unix_chkpwd
      /var/log/secure
      
      Sep  9 12:54:16 sudo[4002]:  zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/nmap -O 10.22.22.22
      Sep  9 12:54:16 systemd[4006]: pam_unix(systemd-user:session): session opened for user root by (uid=0)Sep  9 12:54:16 sudo[4002]: pam_systemd(sudo:session): Failed to stat() runtime directory '/run/user/0': Permission denied
      Sep  9 12:54:16 sudo[4002]: pam_systemd(sudo:session): Not setting $XDG_RUNTIME_DIR, as the directory is not in order.

       

       

      Expected:

      Install instructions should state what SELinux booleans are required and/or zabbix-selinux policy needs to be updated to include missing selinux rules.

      As per the errors, I had to create the following policy which includes almost every selinux error encountered after the installation: 

       require
      {         type httpd_t;         type oddjob_mkhomedir_t;         type var_lib_t;         type system_dbusd_t;         type setroubleshootd_t;         type unconfined_service_t;         type init_t;         type initrc_t;         type chkpwd_t;         type unconfined_t;         type zabbix_t;         type chkpwd_exec_t;         type initrc_var_run_t;         type kernel_t;         type shadow_t;         type sssd_conf_t;         type sudo_exec_t;         type traceroute_exec_t;         type user_tmp_t;              class dir \{ add_name write search getattr }
      ;
              class file { open read map lock execute execute_no_trans getattr };
              class netlink_audit_socket { read write create nlmsg_relay };
              class capability { audit_write sys_admin net_admin net_raw };
              class rawip_socket { write create setopt };
              class netlink_rdma_socket { read write bind create getattr setopt };
              class packet_socket { read write bind create getopt ioctl map setopt };
              class system module_request;
              class process { noatsecure rlimitinh siginh };
      }
      
      #============= httpd_t ==============
      allow httpd_t self:capability net_admin;
      
      #============= oddjob_mkhomedir_t ==============
      allow oddjob_mkhomedir_t var_lib_t:dir { add_name write };
      
      #============= system_dbusd_t ==============
      allow system_dbusd_t self:capability net_admin;
      allow system_dbusd_t setroubleshootd_t:process { noatsecure rlimitinh siginh };
      allow system_dbusd_t unconfined_service_t:process { noatsecure rlimitinh siginh };
      
      #============= init_t ==============
      allow init_t initrc_t:process siginh;
      allow init_t chkpwd_t:process siginh;
      allow init_t unconfined_t:process siginh;
      
      #============= zabbix_t ==============
      allow zabbix_t chkpwd_exec_t:file { open read map execute_no_trans };
      allow zabbix_t initrc_var_run_t:file { open read lock };
      allow zabbix_t kernel_t:system module_request;
      allow zabbix_t self:capability { audit_write sys_admin net_admin net_raw };
      allow zabbix_t self:netlink_audit_socket { read write create nlmsg_relay };
      allow zabbix_t self:netlink_rdma_socket { read write bind create getattr setopt };
      allow zabbix_t self:packet_socket { read write bind create getopt ioctl map setopt };
      allow zabbix_t self:rawip_socket { write create setopt };
      allow zabbix_t shadow_t:file { open read getattr };
      allow zabbix_t sssd_conf_t:dir search;
      allow zabbix_t sssd_conf_t:file { open read getattr };
      allow zabbix_t sudo_exec_t:file { execute getattr };
      allow zabbix_t traceroute_exec_t:file { open read map execute execute_no_trans getattr };
      allow zabbix_t user_tmp_t:dir { getattr search };
      

      Attachments

        Activity

          People

            zalex_ua Oleksii Zagorskyi
            Netscape25 Netscape25
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: