SELinux Woes - RPM Package Monitoring

LukeAB93UK

Member

Joined: Jun 2023
Posts: 72

SELinux Woes - RPM Package Monitoring

08-04-2024, 21:52

Hello,

I spun up an at home Zabbix instance on RedHat with a remote database server. Now I ran into SELinux blocking some things so I made a custom policy and all is good except 1 thing. Here is how I made the policy below.

This one item is not working on my Zabbix server

It just returns "[]" / "0" with SELinux enabled

however if I temporarily disable SELinux with "setenforce 0" it returns the correct package amount.

I even made sure there where entries for this before making the policy by force executing it

Code:

type=AVC msg=audit(1712604680.858:1043): avc:  denied  { map } for  pid=38030 comm="rpm" path="/usr/bin/rpm" dev="dm-0" ino=68101659 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1712604680.858:1043): arch=c000003e syscall=59 success=no exit=-13 a0=5631b2abff80 a1=5631b2ac0890 a2=5631b2abdfa0 a3=1b6 items=0 ppid=38029 pid=38030 auid=4294967295 uid=983 gid=983 euid=983 suid=983 fsuid=983 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="rpm" exe="/usr/bin/rpm" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="zabbix" GID="zabbix" EUID="zabbix" SUID="zabbix" FSUID="zabbix" EGID="zabbix" SGID="zabbix" FSGID="zabbix"
type=ANOM_ABEND msg=audit(1712604680.858:1044): auid=4294967295 uid=983 gid=983 ses=4294967295 subj=system_u:system_r:zabbix_agent_t:s0 pid=38030 comm="rpm" exe="/usr/bin/rpm" sig=11 res=1AUID="unset" UID="zabbix" GID="zabbix"
type=AVC msg=audit(1712604681.070:1045): avc:  denied  { map } for  pid=38039 comm="rpm" path="/usr/bin/rpm" dev="dm-0" ino=68101659 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1712604681.070:1045): arch=c000003e syscall=59 success=no exit=-13 a0=55ac50e78f80 a1=55ac50e79890 a2=55ac50e76fa0 a3=1b6 items=0 ppid=38038 pid=38039 auid=4294967295 uid=983 gid=983 euid=983 suid=983 fsuid=983 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="rpm" exe="/usr/bin/rpm" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="zabbix" GID="zabbix" EUID="zabbix" SUID="zabbix" FSUID="zabbix" EGID="zabbix" SGID="zabbix" FSGID="zabbix"
type=ANOM_ABEND msg=audit(1712604681.070:1046): auid=4294967295 uid=983 gid=983 ses=4294967295 subj=system_u:system_r:zabbix_agent_t:s0 pid=38039 comm="rpm" exe="/usr/bin/rpm" sig=11 res=1AUID="unset" UID="zabbix" GID="zabbix"
type=AVC msg=audit(1712604681.354:1047): avc:  denied  { map } for  pid=38048 comm="rpm" path="/usr/bin/rpm" dev="dm-0" ino=68101659 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1712604681.354:1047): arch=c000003e syscall=59 success=no exit=-13 a0=55ca53965f80 a1=55ca53966890 a2=55ca53963fa0 a3=1b6 items=0 ppid=38047 pid=38048 auid=4294967295 uid=983 gid=983 euid=983 suid=983 fsuid=983 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="rpm" exe="/usr/bin/rpm" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="zabbix" GID="zabbix" EUID="zabbix" SUID="zabbix" FSUID="zabbix" EGID="zabbix" SGID="zabbix" FSGID="zabbix"
type=ANOM_ABEND msg=audit(1712604681.355:1048): auid=4294967295 uid=983 gid=983 ses=4294967295 subj=system_u:system_r:zabbix_agent_t:s0 pid=38048 comm="rpm" exe="/usr/bin/rpm" sig=11 res=1AUID="unset" UID="zabbix" GID="zabbix"
type=SYSCALL msg=audit(1712604778.690:1077): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=55b964e14c64 a2=a0000 a3=0 items=0 ppid=37655 pid=38345 auid=4294967295 uid=983 gid=983 euid=983 suid=983 fsuid=983 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="rpm" exe="/usr/bin/rpm" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="zabbix" GID="zabbix" EUID="zabbix" SUID="zabbix" FSUID="zabbix" EGID="zabbix" SGID="zabbix" FSGID="zabbix"

Does anyone know how to fix that without making the agent only permissive with "sudo semanage permissive -a zabbix_agent_t".

Tags: None

LukeAB93UK

Member

Joined: Jun 2023

Posts: 72
#2

08-04-2024, 22:45

Update

Incase anyone runs into this problem like I did. I have managed to resolve this by swapping to Zabbix Agent2 and it correctly reports the total installed packages with SELinux enabled
Comment
1 comment

#2.1

otheus commented

11-09-2025, 12:05

Editing a comment

@luke

LukeAB93UK my advice is, do not use agent2. You have serious software-supply-chain issues there. If you're concerned about security, you are literally better off disabling selinux than relying on agent2. (FYI: my info about agent2's supply chain issues is a few years old)

The selinux-zabbix module currently does seem a bit FUBAR'd at the moment (2025). The policy file that has not been well-implemented or kept up to date. Changes made since RHEL8 may be the issue.

You can also use standard recipies to selectively add your own constraints:
[code]
cd /tmp
ausearch -ts recent -m avc | grep zabbix | audit2allow -a -M local_zabbix_selinux
[code]

check the corresponding output .te file first -- it might have too much fluff.
Then insert the module
[code]
semodule -i ./local_zabbix_sexlinux.pp
[code]

There's lots of cautionary caveats here. ie, don't use /tmp on a multiuser system, because it could theoretically be overwritten by someone else.

Ad Widget

SELinux Woes - RPM Package Monitoring

SELinux Woes - RPM Package Monitoring

Comment