-
Type:
Problem report
-
Resolution: Unresolved
-
Priority:
Trivial
-
None
-
Affects Version/s: 7.4.10
-
Component/s: Agent2 (G)
-
None
-
Environment:Rocky Linux 9.7
kernel 5.14.0-611.54.1.el9_7.x86_64
sestatus: enabled, targeted, enforcing
zabbix-release-7.4-3.el9.noarch
zabbix-agent2-7.4.10-release1.el9.x86_64
zabbix-selinux-policy-7.4.10-release1.el9.x86_64
libselinux-3.6-3.el9.x86_64
libselinux-utils-3.6-3.el9.x86_64
mysql-selinux-1.0.14-1.el9_6.noarch
rpm-plugin-selinux-4.16.1.3-39.el9.x86_64
selinux-policy-38.1.65-1.el9_7.1.noarch
selinux-policy-targeted-38.1.65-1.el9_7.1.noarch
selinux-policy-devel-38.1.65-1.el9_7.1.noarch
Rocky Linux 9.7 kernel 5.14.0-611.54.1.el9_7.x86_64 sestatus: enabled, targeted, enforcing zabbix-release-7.4-3.el9.noarch zabbix-agent2-7.4.10-release1.el9.x86_64 zabbix-selinux-policy-7.4.10-release1.el9.x86_64 libselinux-3.6-3.el9.x86_64 libselinux-utils-3.6-3.el9.x86_64 mysql-selinux-1.0.14-1.el9_6.noarch rpm-plugin-selinux-4.16.1.3-39.el9.x86_64 selinux-policy-38.1.65-1.el9_7.1.noarch selinux-policy-targeted-38.1.65-1.el9_7.1.noarch selinux-policy-devel-38.1.65-1.el9_7.1.noarch
Steps to reproduce:
Rocky Linux 9 with all updates.
And selinux enabled and enforcing.
Install zabbix-agent2 and zabbix-selinux-policy from the rhel10 zabbix 7.4 repo.
`tail -F /var/log/auditd.log` and `journalctl -fu zabbix-agent2.service` with `systemctl restart zabbix-agent2.service`.
Result:
May 11 11:30:43 zabbix.redacted.net systemd[1]: Starting Zabbix Agent 2...
May 11 11:30:43 zabbix.redacted.net zabbix_agent2[601661]: Validating configuration file "/etc/zabbix/zabbix_agent2.conf"
May 11 11:30:43 zabbix.redacted.net zabbix_agent2[601661]: zabbix_agent2 [601661]: ERROR: cannot open configuration file: open /etc/zabbix/zabbix_agent2.conf: permission denied
May 11 11:30:43 zabbix.redacted.net systemd[1]: zabbix-agent2.service: Control process exited, code=exited, status=1/FAILURE
May 11 11:30:43 zabbix.redacted.net systemd[1]: zabbix-agent2.service: Failed with result 'exit-code'.
May 11 11:30:43 zabbix.redacted.net systemd[1]: Failed to start Zabbix Agent 2.
node=zabbix.redacted.net type=SERVICE_START msg=audit(1778524243.477:155187): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=zabbix-agent2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=zabbix.redacted.net type=SERVICE_STOP msg=audit(1778524243.477:155188): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=zabbix-agent2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=zabbix.redacted.net type=AVC msg=audit(1778524243.500:155189): avc: denied
for pid=601661 comm="zabbix_agent2" capability=2 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability permissive=0
node=zabbix.redacted.net type=AVC msg=audit(1778524243.500:155189): avc: denied
node=zabbix.redacted.net type=SYSCALL msg=audit(1778524243.500:155189): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=c00027cec0 a2=80000 a3=0 items=1 ppid=1 pid=601661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zabbix_agent2" exe="/usr/sbin/zabbix_agent2" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
node=zabbix.redacted.net type=CWD msg=audit(1778524243.500:155189): cwd="/"
node=zabbix.redacted.net type=PATH msg=audit(1778524243.500:155189): item=0 name="/etc/zabbix/zabbix_agent2.conf" inode=539375633 dev=09:7f mode=0100600 ouid=986 ogid=986 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="zabbix" OGID="zabbix"
node=zabbix.redacted.net type=PROCTITLE msg=audit(1778524243.500:155189): proctitle=2F7573722F7362696E2F7A61626269785F6167656E7432002D54002D63002F6574632F7A61626269782F7A61626269785F6167656E74322E636F6E66
node=zabbix.redacted.net type=SERVICE_START msg=audit(1778524243.504:155190): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=zabbix-agent2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"
node=zabbix.redacted.net type=SERVICE_START msg=audit(1778524243.769:155191): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=zabbix.redacted.net type=SERVICE_START msg=audit(1778524244.201:155192): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@7888 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
audit2why on that audit log says:
type=AVC msg=audit(1778524273.996:155209): avc: denied { dac_override }
for pid=601893 comm="zabbix_agent2" capability=1 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
audit2allow on it gives:
#============= zabbix_agent_t ==============
allow zabbix_agent_t self:capability
"audit2allow -R" gives:
require {
type zabbix_agent_t;
class capability { dac_override dac_read_search }
;
}
#============= zabbix_agent_t ==============
allow zabbix_agent_t self:capability
;
Expected:
zabbix-agent2.service able to read config file and not have any problems running.