ZABBIX Forums  

Go Back   ZABBIX Forums > Zabbix Discussions and Feedback > Zabbix Troubleshooting and Problems

Reply
 
Thread Tools Display Modes
  #1  
Old 13-12-2013, 09:42
Michal Paal Michal Paal is offline
Junior Member
 
Join Date: Dec 2013
Posts: 1
Angry problem with zabbix-agent-2.0.10-1.el6.x86_64 and selinux on SL 6.3

Hi,

tonight an autoupdate has installed zabbix-agent-2.0.10-1.el6.x86_64 from zabbix repository. All of our agents stopped working correctly, hitting Permission denied error on some items (mainly proc.num[anyprocess])

After temporary disabling selinux, all items are collected fine, but we don't want to have selinux off. So, my question is if is anyone aware of this bug (I assume it is bug because it was working on 2.0.9)
Reply With Quote
  #2  
Old 13-12-2013, 18:21
volter volter is offline
Member
Zabbix certified specialist
 
Join Date: Dec 2011
Location: Vienna, Austria
Posts: 49
Default

This has nothing to do with the Zabbix update. Check your selinux-policy version:

rpm -q selinux-policy

If that results in 3.7.19-231, you suffer from a policy mistake that was introduced with the 6.5 update:

https://bugzilla.redhat.com/show_bug.cgi?id=1039851
https://bugzilla.redhat.com/show_bug.cgi?id=1032691

Compile and put the suggested policy modules to action as long as it's not fixed upstream.
Reply With Quote
  #3  
Old 10-01-2014, 11:52
hahnium hahnium is offline
Junior Member
Zabbix certified specialist
 
Join Date: Feb 2011
Posts: 13
Default

According to the bug ticket this is not a selinux-policy problem

"That means this would be Zabbix SIA's RPM issue, not selinux-policy."

Because of this bug systems with selinux cant be upgraded! Turning off selinux is not an option!
Reply With Quote
  #4  
Old 10-01-2014, 12:05
volter volter is offline
Member
Zabbix certified specialist
 
Join Date: Dec 2011
Location: Vienna, Austria
Posts: 49
Default

You can either load a custom policy package in the meantime or make SELinux permissive in certain areas by running something like:

semanage permissive -a <some_type>

You can list types with:

seinfo -t | grep zabbix
Reply With Quote
  #5  
Old 14-01-2014, 18:50
mrjoshuap mrjoshuap is offline
Junior Member
 
Join Date: Nov 2013
Posts: 6
Default

I also hit this problem...

Code:
# rpm -qa | grep selinux
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-targeted-3.7.19-231.el6.noarch
libselinux-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-3.7.19-231.el6.noarch
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
I ended up reverting to the following packages:

Code:
selinux-policy-3.7.19-195.el6_4.18.noarch         
selinux-policy-targeted-3.7.19-195.el6_4.18.noarch
I'm hoping this gets resolved sooner rather than later.
Reply With Quote
  #6  
Old 14-01-2014, 20:26
mrjoshuap mrjoshuap is offline
Junior Member
 
Join Date: Nov 2013
Posts: 6
Default

There is an open bug for this:

https://support.zabbix.com/browse/ZBX-7607

For anyone else out there who had problems with the SELinux Policy, I performed the following (on RHEL6):

Create the policy file:

Code:
# cd /usr/share/selinux/devel
# cat > zabbix-fix.te
policy_module(zabbix-fix, 1.0)

require{
 type zabbix_agent_t;
 type zabbix_t;
 type ping_t;
 type zabbix_tmp_t;
}

allow ping_t zabbix_tmp_t:file read_file_perms;
allow ping_t zabbix_t:tcp_socket { read write };

kernel_read_network_state(zabbix_agent_t)
domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)
corenet_tcp_connect_all_ports(zabbix_agent_t)
Then, build the policy:


Code:
# make zabbix-fix.pp
Compiling targeted zabbix-fix module
/usr/bin/checkmodule:  loading policy configuration from tmp/zabbix-fix.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/zabbix-fix.mod
Creating targeted zabbix-fix.pp policy package
rm tmp/zabbix-fix.mod tmp/zabbix-fix.mod.fc
Then, install the policy:

Code:
# semodule -i zabbix-fix.pp
Then verify it's installed:

Code:
# semodule -l | grep zabbix-fix
zabbix-fix	1.0
After installing the module, you can disable it:

Code:
# semodule -d zabbix-fix
Or enable it:

Code:
# semodule -e zabbix-fix
Afterwards, I was able to use the latest selinux-policy:

selinux-policy-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch
Reply With Quote
  #7  
Old 31-01-2014, 15:45
guigz747 guigz747 is offline
Junior Member
 
Join Date: Jan 2014
Posts: 1
Default

Hello,

I had the same issue with zabbix agent and selinux on a Centos6.5,

I tried to create custom modules with audit2allow, but none worked. I finally found that unloading the zabbix module make it work fine.

/etc/inti.d/zabbix-agent stop && semodule -r zabbix && /etc/init.d/zabbix-agent start

No more "avc" entries in audit.log and zabbix agent work well.

Hope it will help.

G.
Reply With Quote
  #8  
Old 24-02-2014, 13:57
raddy raddy is offline
Junior Member
 
Join Date: Jan 2008
Posts: 9
Default

Quote:
Originally Posted by guigz747 View Post
Hello,

I had the same issue with zabbix agent and selinux on a Centos6.5,

I tried to create custom modules with audit2allow, but none worked. I finally found that unloading the zabbix module make it work fine.

/etc/inti.d/zabbix-agent stop && semodule -r zabbix && /etc/init.d/zabbix-agent start

No more "avc" entries in audit.log and zabbix agent work well.

Hope it will help.

G.
The solution you suggested worked perfectly.
The solution you suggested is very simple too.
Great find, Kudos.

@ Admin

Please sticky the solution.
Reply With Quote
  #9  
Old 07-03-2014, 14:22
dkanbier dkanbier is offline
Junior Member
Zabbix certified specialist
 
Join Date: Jul 2013
Posts: 13
Default

Quote:
Originally Posted by raddy View Post
The solution you suggested worked perfectly.
The solution you suggested is very simple too.
Great find, Kudos.

@ Admin

Please sticky the solution.
This is a workaround, not a solution. Something needs to be fixed in the policy I think.

Quote:
Originally Posted by mrjoshuap View Post
There is an open bug for this:

https://support.zabbix.com/browse/ZBX-7607

For anyone else out there who had problems with the SELinux Policy, I performed the following (on RHEL6):
...
This seems to work for the default installation, thanks for the mini tutorial!

However, custom scripts do not seem to work:

Code:
type=AVC msg=audit(1394192481.663:8243): avc:  denied  { execute_no_trans } for  pid=9402 comm="sh" path="/opt/zabbix/linux/queryDisks.pl" dev=dm-0 ino=151130 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=unconfined_u:object_r:zabbix_agent_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1394192331.343:8238): arch=c000003e syscall=59 success=no exit=-13 a0=9a1300 a1=9a1360 a2=9a0320 a3=7fff740dfa40 items=0 ppid=1295 pid=8784 auid=4294967295 uid=498 gid=499 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
The policy documentation (zabbix_selinux) states:

Quote:
zabbix_agent_exec_t

- Set files with the zabbix_agent_exec_t type, if you want to transition an executable to the zabbix_agent_t domain.
But setting this type on my custom script "/opt/zabbix/linux/queryDisks.pl" still generates the same denial.

Adding this line to the custom module helps (although I'm not quite sure about the security impact of allowing this yet):

Code:
allow zabbix_agent_t zabbix_agent_exec_t:file execute_no_trans;
But there are still some denials while running the queryDisk.pl script about reading urandom.

I guess it's a good thing to have people think about SELinux rules when running custom scripts, but I wonder if this was intended behaviour or not. I hope breaking out-of-the-box Zabbix functionality was not...
__________________
Dennis Kanbier
website:http://www.denniskanbier.nl/blog
e-mail:info@denniskanbier.nl
Reply With Quote
  #10  
Old 24-04-2014, 00:34
dromero dromero is offline
Junior Member
 
Join Date: Apr 2014
Location: Santiago, Chile
Posts: 2
Default

compiling this policy worked for me in CentOS 6.5! thanks!


Quote:
Originally Posted by mrjoshuap View Post
There is an open bug for this:

https://support.zabbix.com/browse/ZBX-7607

For anyone else out there who had problems with the SELinux Policy, I performed the following (on RHEL6):

Create the policy file:

Code:
# cd /usr/share/selinux/devel
# cat > zabbix-fix.te
policy_module(zabbix-fix, 1.0)

require{
 type zabbix_agent_t;
 type zabbix_t;
 type ping_t;
 type zabbix_tmp_t;
}

allow ping_t zabbix_tmp_t:file read_file_perms;
allow ping_t zabbix_t:tcp_socket { read write };

kernel_read_network_state(zabbix_agent_t)
domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)
corenet_tcp_connect_all_ports(zabbix_agent_t)
Then, build the policy:


Code:
# make zabbix-fix.pp
Compiling targeted zabbix-fix module
/usr/bin/checkmodule:  loading policy configuration from tmp/zabbix-fix.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/zabbix-fix.mod
Creating targeted zabbix-fix.pp policy package
rm tmp/zabbix-fix.mod tmp/zabbix-fix.mod.fc
Then, install the policy:

Code:
# semodule -i zabbix-fix.pp
Then verify it's installed:

Code:
# semodule -l | grep zabbix-fix
zabbix-fix	1.0
After installing the module, you can disable it:

Code:
# semodule -d zabbix-fix
Or enable it:

Code:
# semodule -e zabbix-fix
Afterwards, I was able to use the latest selinux-policy:

selinux-policy-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 17:00.