Ad Widget

**Avinasha** · 17-03-2021, 13:17

Easiest solution is to disable selinux. It keeps troubling you every now and then

**Jason** · 17-03-2021, 13:39

Originally posted by Avinasha

Easiest solution is to disable selinux. It keeps troubling you every now and then

I suggest not disabling it and learn how to add rules in is the safest option. At the very simplest can use audit2allow on most systems to work out what is being blocked or would be blocked if running in permissive mode and then create rules to fix before putting back to enforcing again. Once you've got something working for what you're doing then just need to replicate it on each server. Disabling selinux is turning off one of the best means for protecting your server and especially if your zabbix server is open to the internet then it's a good thing to have it as secure as possible.

**cstackpole** · 17-05-2021, 19:55

Turning off SELinux is not only *NOT* the answer, it is terrible sys-admin advice.

Fresh install of Zabbix 5.4 server on 8.3. As soon as I try to start Zabbix Server I get an error and `journalctl -xe` shows:

SELinux is preventing /usr/sbin/zabbix_server_mysql from using the dac_override capability. For complete SELinux messages run: sealert -l c5b82c2d-e47f-4559-a027-04d23a73ecd7

Running sealert shows:

$ sealert -l c5b82c2d-e47f-4559-a027-04d23a73ecd7
SELinux is preventing /usr/sbin/zabbix_server_mysql from using the dac_override capability.

***** Plugin dac_override (91.4 confidence) suggests **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

***** Plugin catchall (9.59 confidence) suggests **************************

If you believe that zabbix_server_mysql should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'zabbix_server' --raw | audit2allow -M my-zabbixserver
# semodule -X 300 -i my-zabbixserver.pp

Additional Information:
Source Context system_u:system_r:zabbix_t:s0
Target Context system_u:system_r:zabbix_t:s0
Target Objects Unknown [ capability ]
Source zabbix_server
Source Path /usr/sbin/zabbix_server_mysql
Port <Unknown>
Host [removed]
Source RPM Packages zabbix-server-mysql-5.4.0-8.el8.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.4.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.4.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name [removed]
Platform Linux [removed] 4.18.0-240.22.1.el8.x86_64 #1
SMP Mon Apr 12 04:29:16 UTC 2021 x86_64 x86_64
Alert Count 44
First Seen 2021-05-17 12:31:18 CDT
Last Seen 2021-05-17 12:40:23 CDT
Local ID c5b82c2d-e47f-4559-a027-04d23a73ecd7

Raw Audit Messages
type=AVC msg=audit(1621273223.968:96): avc: denied { dac_override } for pid=2154 comm="zabbix_server" capability=1 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=capability permissive=0

type=SYSCALL msg=audit(1621273223.968:96): arch=x86_64 syscall=access success=no exit=EACCES a0=55603fac0e40 a1=6 a2=7ffcde90f5c0 a3=0 items=0 ppid=1 pid=2154 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=zabbix_server exe=/usr/sbin/zabbix_server_mysql subj=system_u:system_r:zabbix_t:s0 key=(null)

Hash: zabbix_server,zabbix_t,zabbix_t,capability,dac_ove rride

$ ls -lhZ /usr/sbin/zabbix_server_mysql
-rwxr-xr-x. 1 root root system_u: object_r:zabbix_exec_t:s0 5.5M May 14 06:49 /usr/sbin/zabbix_server_mysql

Running the suggested ausearch command gives this:

module my-zabbixserver 1.0;

require {
type zabbix_t;
class capability dac_override;
}

#============= zabbix_t ==============
allow zabbix_t self:capability dac_override;

Then I ran the recommended semodule command (from the output above) but Zabbix Server still doesn't start after that. Had to run this command next:

setsebool -P daemons_enable_cluster_mode 1

Seems to be working now.

**shred00** · 30-11-2021, 18:56

DAC_OVERRIDE is overly permissive here. The problem is the permissions of /run/zabbix. Details in ticket ZBXSEC-74. You can easily apply the changes that ticket suggests to your local installation and remove the DAC_OVERRIDE policy exception that you installed and return a bit more security to your system.

**markfree** · 01-12-2021, 02:00

Documentation suggests adding some rules but they usually don't work for me.

**shred00** · 01-12-2021, 15:59

Originally posted by markfree

Documentation suggests adding some rules but they usually don't work for me.

That's potentially because they don't address ZBXSEC-74. The solution to that issue is in the ticket. You need to change the permissions and group owner of the /run/zabbix directory so that the Zabbix server can write into it before it has dropped it's EUID to the zabbix user.

**cyber** · 01-12-2021, 16:28

Well... we really cannot read that sec ticket... logged in or not.

**shred00** · 01-12-2021, 16:37

Originally posted by cyber

Well... we really cannot read that sec ticket... logged in or not.

Oh. I did not know that. That's a pity.

Anyway, from the ticket:

If you apply this patch:

Code:

--- /tmp/zabbix-server.conf 2021-11-30 11:34:14.000000000 -0500
+++ /usr/lib/tmpfiles.d/zabbix-server.conf 2021-11-30 11:34:27.750262510 -0500
@@ -1 +1 @@
-d /run/zabbix 0755 zabbix zabbix - -
+d /run/zabbix 0775 zabbix root - -

to /usr/lib/tmpfiles.d/zabbix-server.conf it avoids these AVCs:

Code:

type=AVC msg=audit(1638288665.600:894332): avc: denied { dac_override } for pid=10506 comm="zabbix_server" capability=1 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=capability permissive=0

and Zabbix server will be allowed to start, with SELinux enabled and without having to apply an overly-permissive DAC_OVERRIDE policy to Zabbix server.

Ad Widget

selinux and zabbix server

selinux and zabbix server

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment