Ad Widget

Collapse

system.sw.packages and Selinux on RHEL 7

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Martin Jørgensen
    Junior Member
    • Feb 2020
    • 10
    #1

    system.sw.packages and Selinux on RHEL 7

    Hi

    System: RHEL 7 Host
    Selinux issue with system.sw.packages

    Does anyone have fixed the issue that system.sw.packages cannot read rpm packages info with selinux in enforcing mode?

    This item works with selinux in permissive mode.

    I have tried to create a selinux policy by query for the error in /var/log/audit/audit.log, but that only stop display the deny message, the item cant still dont get the rpm status.

    I dont disable selinux, i cant be the only one have this issue on at company network

    Have a good day
    Tags: None
    • mfoster
      Junior Member
      • May 2021
      • 6
      #2
      I also have the same error on CentOS 7.9 and Zabbix 5.2.6. Interrogating the audit log gives the following information:

      type=AVC msg=audit(1621855352.039:773062): avc: denied { execute_no_trans } for pid=20663 comm="sh" path="/usr/bin/rpm" dev="dm-0" ino=12908590 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u_object_r:rpm_exec_t:s0 tclass=file permissive=0
      Was caused by:
      Missing type enforcement (TE) allow rule.

        Comment

        • mfoster
          Junior Member
          • May 2021
          • 6
          #3
          I have solved the SELinux issue with rules below (others with more SELinux experience may be able to improve on this).

          module zabbix-agent-local 1.0;

          require {
          type rpm_exec_t;
          type zabbix_agent_t;
          type rpm_var_lib_t;
          class file { execute execute_no_trans open };
          }

          #============= zabbix_agent_t ==============
          allow zabbix_agent_t rpm_exec_t:file {execute execute_no_trans};
          allow zabbix_agent_t rpm_var_lib_t:file open;

          However, I still get a standard Linux permissions error:

          root@***********:~# zabbix_get -s ************* -k system.sw.packages
          [rpm] error: cannot open Packages database in /var/lib/rpm, error: cannot open Packages database in /var/lib/rpm, error: cannot open Packages index using db5 - Permission denied (13)

            Comment

            • mfoster
              Junior Member
              • May 2021
              • 6
              #4
              It turns out that I hadn't solved the SELinux issue, as there was a dontaudit rule masking the failure. The full rule set needed to allow Zabbix Agent to get packages is:

              module zabbix-agent-local 1.0;

              require {
              type rpm_exec_t;
              type zabbix_agent_t;
              type rpm_var_lib_t;
              class file { execute execute_no_trans open read };
              }

              #============= zabbix_agent_t ==============
              allow zabbix_agent_t rpm_exec_t:file { execute execute_no_trans };
              allow zabbix_agent_t rpm_var_lib_t:file { open read };
              Last edited by mfoster; 26-05-2021, 13:39.

                Comment

                Previous template Next
                Working...