Announcement

Collapse
No announcement yet.

problem with zabbix-agent-2.0.10-1.el6.x86_64 and selinux on SL 6.3

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

    problem with zabbix-agent-2.0.10-1.el6.x86_64 and selinux on SL 6.3

    Hi,

    tonight an autoupdate has installed zabbix-agent-2.0.10-1.el6.x86_64 from zabbix repository. All of our agents stopped working correctly, hitting Permission denied error on some items (mainly proc.num[anyprocess])

    After temporary disabling selinux, all items are collected fine, but we don't want to have selinux off. So, my question is if is anyone aware of this bug (I assume it is bug because it was working on 2.0.9)

    #2
    This has nothing to do with the Zabbix update. Check your selinux-policy version:

    rpm -q selinux-policy

    If that results in 3.7.19-231, you suffer from a policy mistake that was introduced with the 6.5 update:

    https://bugzilla.redhat.com/show_bug.cgi?id=1039851
    https://bugzilla.redhat.com/show_bug.cgi?id=1032691

    Compile and put the suggested policy modules to action as long as it's not fixed upstream.

    Comment


      #3
      According to the bug ticket this is not a selinux-policy problem

      "That means this would be Zabbix SIA's RPM issue, not selinux-policy."

      Because of this bug systems with selinux cant be upgraded! Turning off selinux is not an option!

      Comment


        #4
        You can either load a custom policy package in the meantime or make SELinux permissive in certain areas by running something like:

        semanage permissive -a <some_type>

        You can list types with:

        seinfo -t | grep zabbix

        Comment


          #5
          I also hit this problem...

          Code:
          # rpm -qa | grep selinux
          libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
          selinux-policy-targeted-3.7.19-231.el6.noarch
          libselinux-2.0.94-5.3.el6_4.1.x86_64
          selinux-policy-3.7.19-231.el6.noarch
          libselinux-python-2.0.94-5.3.el6_4.1.x86_64
          I ended up reverting to the following packages:

          Code:
          selinux-policy-3.7.19-195.el6_4.18.noarch         
          selinux-policy-targeted-3.7.19-195.el6_4.18.noarch
          I'm hoping this gets resolved sooner rather than later.

          Comment


            #6
            There is an open bug for this:

            https://support.zabbix.com/browse/ZBX-7607

            For anyone else out there who had problems with the SELinux Policy, I performed the following (on RHEL6):

            Create the policy file:

            Code:
            # cd /usr/share/selinux/devel
            # cat > zabbix-fix.te
            policy_module(zabbix-fix, 1.0)
            
            require{
             type zabbix_agent_t;
             type zabbix_t;
             type ping_t;
             type zabbix_tmp_t;
            }
            
            allow ping_t zabbix_tmp_t:file read_file_perms;
            allow ping_t zabbix_t:tcp_socket { read write };
            
            kernel_read_network_state(zabbix_agent_t)
            domain_read_all_domains_state(zabbix_agent_t)
            dev_read_sysfs(zabbix_agent_t)
            corenet_tcp_connect_all_ports(zabbix_agent_t)
            Then, build the policy:


            Code:
            # make zabbix-fix.pp
            Compiling targeted zabbix-fix module
            /usr/bin/checkmodule:  loading policy configuration from tmp/zabbix-fix.tmp
            /usr/bin/checkmodule:  policy configuration loaded
            /usr/bin/checkmodule:  writing binary representation (version 10) to tmp/zabbix-fix.mod
            Creating targeted zabbix-fix.pp policy package
            rm tmp/zabbix-fix.mod tmp/zabbix-fix.mod.fc
            Then, install the policy:

            Code:
            # semodule -i zabbix-fix.pp
            Then verify it's installed:

            Code:
            # semodule -l | grep zabbix-fix
            zabbix-fix	1.0
            After installing the module, you can disable it:

            Code:
            # semodule -d zabbix-fix
            Or enable it:

            Code:
            # semodule -e zabbix-fix
            Afterwards, I was able to use the latest selinux-policy:

            selinux-policy-3.7.19-231.el6.noarch
            selinux-policy-targeted-3.7.19-231.el6.noarch

            Comment


              #7
              Hello,

              I had the same issue with zabbix agent and selinux on a Centos6.5,

              I tried to create custom modules with audit2allow, but none worked. I finally found that unloading the zabbix module make it work fine.

              /etc/inti.d/zabbix-agent stop && semodule -r zabbix && /etc/init.d/zabbix-agent start

              No more "avc" entries in audit.log and zabbix agent work well.

              Hope it will help.

              G.

              Comment


                #8
                Originally posted by guigz747 View Post
                Hello,

                I had the same issue with zabbix agent and selinux on a Centos6.5,

                I tried to create custom modules with audit2allow, but none worked. I finally found that unloading the zabbix module make it work fine.

                /etc/inti.d/zabbix-agent stop && semodule -r zabbix && /etc/init.d/zabbix-agent start

                No more "avc" entries in audit.log and zabbix agent work well.

                Hope it will help.

                G.
                The solution you suggested worked perfectly.
                The solution you suggested is very simple too.
                Great find, Kudos.

                @ Admin

                Please sticky the solution.

                Comment


                  #9
                  Originally posted by raddy View Post
                  The solution you suggested worked perfectly.
                  The solution you suggested is very simple too.
                  Great find, Kudos.

                  @ Admin

                  Please sticky the solution.
                  This is a workaround, not a solution. Something needs to be fixed in the policy I think.

                  Originally posted by mrjoshuap View Post
                  There is an open bug for this:

                  https://support.zabbix.com/browse/ZBX-7607

                  For anyone else out there who had problems with the SELinux Policy, I performed the following (on RHEL6):
                  ...
                  This seems to work for the default installation, thanks for the mini tutorial!

                  However, custom scripts do not seem to work:

                  Code:
                  type=AVC msg=audit(1394192481.663:8243): avc:  denied  { execute_no_trans } for  pid=9402 comm="sh" path="/opt/zabbix/linux/queryDisks.pl" dev=dm-0 ino=151130 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=unconfined_u:object_r:zabbix_agent_exec_t:s0 tclass=file
                  type=SYSCALL msg=audit(1394192331.343:8238): arch=c000003e syscall=59 success=no exit=-13 a0=9a1300 a1=9a1360 a2=9a0320 a3=7fff740dfa40 items=0 ppid=1295 pid=8784 auid=4294967295 uid=498 gid=499 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
                  The policy documentation (zabbix_selinux) states:

                  zabbix_agent_exec_t

                  - Set files with the zabbix_agent_exec_t type, if you want to transition an executable to the zabbix_agent_t domain.
                  But setting this type on my custom script "/opt/zabbix/linux/queryDisks.pl" still generates the same denial.

                  Adding this line to the custom module helps (although I'm not quite sure about the security impact of allowing this yet):

                  Code:
                  allow zabbix_agent_t zabbix_agent_exec_t:file execute_no_trans;
                  But there are still some denials while running the queryDisk.pl script about reading urandom.

                  I guess it's a good thing to have people think about SELinux rules when running custom scripts, but I wonder if this was intended behaviour or not. I hope breaking out-of-the-box Zabbix functionality was not...

                  Comment


                    #10
                    compiling this policy worked for me in CentOS 6.5! thanks!


                    Originally posted by mrjoshuap View Post
                    There is an open bug for this:

                    https://support.zabbix.com/browse/ZBX-7607

                    For anyone else out there who had problems with the SELinux Policy, I performed the following (on RHEL6):

                    Create the policy file:

                    Code:
                    # cd /usr/share/selinux/devel
                    # cat > zabbix-fix.te
                    policy_module(zabbix-fix, 1.0)
                    
                    require{
                     type zabbix_agent_t;
                     type zabbix_t;
                     type ping_t;
                     type zabbix_tmp_t;
                    }
                    
                    allow ping_t zabbix_tmp_t:file read_file_perms;
                    allow ping_t zabbix_t:tcp_socket { read write };
                    
                    kernel_read_network_state(zabbix_agent_t)
                    domain_read_all_domains_state(zabbix_agent_t)
                    dev_read_sysfs(zabbix_agent_t)
                    corenet_tcp_connect_all_ports(zabbix_agent_t)
                    Then, build the policy:


                    Code:
                    # make zabbix-fix.pp
                    Compiling targeted zabbix-fix module
                    /usr/bin/checkmodule:  loading policy configuration from tmp/zabbix-fix.tmp
                    /usr/bin/checkmodule:  policy configuration loaded
                    /usr/bin/checkmodule:  writing binary representation (version 10) to tmp/zabbix-fix.mod
                    Creating targeted zabbix-fix.pp policy package
                    rm tmp/zabbix-fix.mod tmp/zabbix-fix.mod.fc
                    Then, install the policy:

                    Code:
                    # semodule -i zabbix-fix.pp
                    Then verify it's installed:

                    Code:
                    # semodule -l | grep zabbix-fix
                    zabbix-fix	1.0
                    After installing the module, you can disable it:

                    Code:
                    # semodule -d zabbix-fix
                    Or enable it:

                    Code:
                    # semodule -e zabbix-fix
                    Afterwards, I was able to use the latest selinux-policy:

                    selinux-policy-3.7.19-231.el6.noarch
                    selinux-policy-targeted-3.7.19-231.el6.noarch

                    Comment


                      #11
                      Up.

                      I have the same issue with Oracle Linux 7.1

                      What work for me was set permissive mode only for zabbix.


                      Code:
                      semanage permissive -a zabbix_agent_t
                      semodule -l | grep permissive

                      Comment

                      Ask questions to Zabbix Dev Team in person at the Zabbix Summit 2018!
                      Working...
                      X