[ZBX-23453] vfs.dev.discovery causes SELinux errors Created: 2023 Sep 22 Updated: 2023 Sep 25 |
|
| Status: | Confirmed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Agent (G) |
| Affects Version/s: | 6.0.21 |
| Fix Version/s: | None |
| Type: | Problem report | Priority: | Major |
| Reporter: | Kento Takahashi | Assignee: | Jurijs Klopovskis |
| Resolution: | Unresolved | Votes: | 2 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
Steps to reproduce:
Result: type=AVC msg=audit(1695357845.405:128): avc: denied { getattr } for pid=1428 comm="zabbix_agentd" path="/run/initctl" dev="tmpfs" ino=19850 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=0
type=AVC msg=audit(1695357845.405:129): avc: denied { getattr } for pid=1428 comm="zabbix_agentd" path="/run/systemd/journal/dev-log" dev="tmpfs" ino=11844 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1695357845.405:130): avc: denied { getattr } for pid=1428 comm="zabbix_agentd" path="/proc/kcore" dev="proc" ino=4026532029 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=0
Expected: |
| Comments |
| Comment by Kento Takahashi [ 2023 Sep 22 ] |
|
I found the cause after some investigation. # ls -lZ /dev/initctl lrwxrwxrwx. 1 root root system_u:object_r:device_t:s0 12 Sep 22 13:38 /dev/initctl -> /run/initctl # ls -lZ /dev/log lrwxrwxrwx. 1 root root system_u:object_r:devlog_t:s0 28 Sep 22 13:38 /dev/log -> /run/systemd/journal/dev-log # ls -lZ /dev/core lrwxrwxrwx. 1 root root system_u:object_r:device_t:s0 11 Sep 22 13:38 /dev/core -> /proc/kcore Here is the code in vfs.dev.discovery item. // src/libs/zbxsysinfo/linux/diskio.c int VFS_DEV_DISCOVERY(AGENT_REQUEST *request, AGENT_RESULT *result) { (snip.) if (NULL != (dir = opendir(ZBX_DEV_PFX))) { (snip.) while (NULL != (entries = readdir(dir))) { zbx_snprintf(tmp, sizeof(tmp), ZBX_DEV_PFX "%s", entries->d_name); if (0 == zbx_stat(tmp, &stat_buf) && 0 != S_ISBLK(stat_buf.st_mode)) { At first, open directory /dev by opendir(). Next, get directory entries by readdir(). Then, do stat() for each entry. I think it would be no problem to replace stat() with lstat() because it is no need to follow symlinks here.
if (0 == lstat(tmp, &lstat_buf))
{
(snip.)
if (0 != S_ISLNK(lstat_buf.st_mode))
dev_bypass = 1;
else
zbx_snprintf(tmp, sizeof(tmp), "rom");
(snip.)
if (0 == dev_bypass)
{
zbx_json_addobject(&j, NULL);
zbx_json_addstring(&j, "{#DEVNAME}", entries->d_name, ZBX_JSON_TYPE_STRING);
zbx_json_addstring(&j, "{#DEVTYPE}", 1 == devtype_found ? tmp + offset : "",
ZBX_JSON_TYPE_STRING);
zbx_json_close(&j);
}
/dev files are checked by lstat() if it is symlink after first stat() and symlinks are not included in item response. I tried to make a patch and confirmed that it fixes the SELinux errors.
--- src/libs/zbxsysinfo/linux/diskio.c.bak 2023-09-22 15:54:43.132604806 +0900
+++ src/libs/zbxsysinfo/linux/diskio.c 2023-09-22 15:55:01.896519054 +0900
@@ -324,7 +324,7 @@
{
zbx_snprintf(tmp, sizeof(tmp), ZBX_DEV_PFX "%s", entries->d_name);
- if (0 == zbx_stat(tmp, &stat_buf) && 0 != S_ISBLK(stat_buf.st_mode))
+ if (0 == lstat(tmp, &stat_buf) && 0 != S_ISBLK(stat_buf.st_mode))
{
int offset = 0;
|