[ZBXNEXT-5067] Submit Zabbix Server changes to the RH SELinux policy packages Created: 2019 Feb 22 Updated: 2021 Mar 09 |
|
| Status: | Open |
| Project: | ZABBIX FEATURE REQUESTS |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Change Request | Priority: | Trivial |
| Reporter: | Kaspars Mednis | Assignee: | Zabbix Development Team |
| Resolution: | Unresolved | Votes: | 3 |
| Labels: | packages, rhel, selinux, upstream | ||
| Σ Remaining Estimate: | Not Specified | Remaining Estimate: | Not Specified |
| Σ Time Spent: | Not Specified | Time Spent: | Not Specified |
| Σ Original Estimate: | Not Specified | Original Estimate: | Not Specified |
| Attachments: |
zabbix-proxy.service.patch
|
||||||||||
| Issue Links: |
|
||||||||||
| Sub-Tasks: |
|
||||||||||
| Description |
|
After installing Zabbix from packages, it fails to start if SELinux is enabled - this is a known issue Could this please be submitted upstream to avoid the need for the manual steps? |
| Comments |
| Comment by dimir [ 2019 Feb 22 ] |
|
OK, first we need to understand what are we missing. Anybody can provide the list of things to add (possibly) here? |
| Comment by richlv [ 2019 Apr 24 ] |
|
That's a lengthy policy, what is it's scope - is it something that is in / will go in RHEL, or something to be used as an example, or some other purpose? On the agent side, the zabbix_run_sudo boolean is often needed, available since RHEL 7.6. Other things we've found to be useful on the agent side (notice the sssd part, not detectable unless sssd is used):
require {
type sssd_conf_t;
type chkpwd_exec_t;
type zabbix_agent_t;
type devlog_t;
type shadow_t;
type kernel_t;
class unix_dgram_socket { create connect sendto };
class file { execute_no_trans read open };
class netlink_audit_socket create;
class capability { dac_override dac_read_search };
class sock_file write;
}
#============= zabbix_agent_t ==============
allow zabbix_agent_t chkpwd_exec_t:file execute_no_trans;
allow zabbix_agent_t self:netlink_audit_socket create;
allow zabbix_agent_t self:unix_dgram_socket { create connect };
allow zabbix_agent_t sssd_conf_t:file { read open };
allow zabbix_agent_t self:capability { dac_override dac_read_search };
allow zabbix_agent_t devlog_t:sock_file write;
allow zabbix_agent_t shadow_t:file { read open };
allow zabbix_agent_t kernel_t:unix_dgram_socket sendto;
|
| Comment by richlv [ 2019 Apr 24 ] |
|
On the server side, these booleans are often needed:
And the following was useful (the Postfix part related to simple email sending)
require {
type zabbix_var_run_t;
type tmp_t;
type fs_t;
type zabbix_t;
type reserved_port_t;
type unreserved_port_t;
type postfix_local_t;
type zabbix_var_lib_t;
type zabbix_script_t;
class sock_file { create unlink write };
class unix_stream_socket connectto;
class process { setrlimit signal };
class tcp_socket name_connect;
class filesystem getattr;
class dir search;
}
#============= zabbix_t ==============
allow zabbix_t self:process setrlimit;
allow zabbix_t self:unix_stream_socket connectto;
allow zabbix_t tmp_t:sock_file { create unlink write };
allow zabbix_t zabbix_var_run_t:sock_file { create unlink write };
allow zabbix_t reserved_port_t:tcp_socket name_connect;
allow zabbix_t unreserved_port_t:tcp_socket name_connect;
allow zabbix_t fs_t:filesystem getattr;
allow zabbix_t zabbix_script_t:process signal;
#============= postfix_local_t ==============
allow postfix_local_t zabbix_var_lib_t:dir search;
|
| Comment by arielzn [ 2019 Dec 11 ] |
|
I can confirm that on a fresh zabbix-server 4.0 installation on CentOS Linux release 8.0.1905 after enabling
booleans, I needed at least to get zabbix-server started:
require {
type zabbix_t;
type zabbix_var_run_t;
class capability dac_override;
class unix_stream_socket connectto;
class sock_file { create unlink write };
}
#============= zabbix_t ==============
allow zabbix_t self:capability dac_override;
allow zabbix_t self:unix_stream_socket connectto;
allow zabbix_t zabbix_var_run_t:sock_file { create unlink write };
|
| Comment by Raimonds Treimanis [ 2020 May 20 ] |
|
Tried on zabbix 4.4.8 and Centos 8 and got type=AVC msg=audit(1589985848.013:1015): avc: denied { dac_override } for pid=5965 comm="zabbix_proxy" capability=1 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=capability permissive=0
Problem arises as zabbix is requesting dac_override, which it doesn't have, because it is trying to access /var/run/zabbix as root before dropping to zabbix user giving dac_override to zabbix is too dangerous, if i have understood correctly what this permission really grants fast workaround is to chmod o+w on /var/run/zabbix
correct fix would be for zabbix process to drop privileges to zabbix user before accessing folders |
| Comment by Fabian Wannenmacher [ 2021 Mar 09 ] |
|
zabbix-proxy is starting with root-privileges which it never needs. So letting it start without root-privileges fixes the problem. So the one Line patch to fix that issue (and making zabbix more secure) is: /lib/systemd/system/zabbix-proxy.service 27a28 A patch-file with context: This should work similar for zabbix-server. |
