Bug 1018221

Summary: zabbix-proxy runs as init_t
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-91.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:33:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 877026    
Bug Blocks: 848829    

Description Milos Malik 2013-10-11 13:41:13 UTC 
Description of problem:
# rpm -qla zabbix-proxy\* | grep sbin | xargs matchpathcon
/usr/sbin/zabbix_proxy	system_u:object_r:bin_t:s0
/usr/sbin/zabbix_proxy_mysql	system_u:object_r:bin_t:s0
/usr/sbin/zabbix_proxy_sqlite3	system_u:object_r:bin_t:s0
/usr/sbin/zabbix_proxy_pgsql	system_u:object_r:bin_t:s0
#

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-86.el7.noarch
selinux-policy-doc-3.12.1-86.el7.noarch
selinux-policy-minimum-3.12.1-86.el7.noarch
selinux-policy-mls-3.12.1-86.el7.noarch
selinux-policy-targeted-3.12.1-86.el7.noarch
zabbix-proxy-2.0.6-3.fc19.x86_64
zabbix-proxy-mysql-2.0.6-3.fc19.x86_64
zabbix-proxy-pgsql-2.0.6-3.fc19.x86_64
zabbix-proxy-sqlite3-2.0.6-3.fc19.x86_64

How reproducible:
always

Steps to Reproduce:
# service zabbix-proxy status
Redirecting to /bin/systemctl status  zabbix-proxy.service
zabbix-proxy-mysql.service - Zabbix MySQL Proxy Agent
   Loaded: loaded (/usr/lib/systemd/system/zabbix-proxy-mysql.service; disabled)
   Active: inactive (dead)

Oct 08 23:35:26 rhel70 systemd[1]: Stopping Zabbix MySQL Proxy Agent...
Oct 08 23:35:28 rhel70 systemd[1]: Stopped Zabbix MySQL Proxy Agent.
Oct 08 23:36:26 rhel70 systemd[1]: Starting Zabbix MySQL Proxy Agent...
Oct 08 23:36:26 rhel70 systemd[1]: Started Zabbix MySQL Proxy Agent.
Oct 11 15:21:40 rhel70 systemd[1]: Stopping Zabbix MySQL Proxy Agent...
Oct 11 15:21:42 rhel70 systemd[1]: Stopped Zabbix MySQL Proxy Agent.
Oct 11 15:21:45 rhel70 systemd[1]: Starting Zabbix MySQL Proxy Agent...
Oct 11 15:21:45 rhel70 systemd[1]: Started Zabbix MySQL Proxy Agent.
Oct 11 15:30:51 rhel70 systemd[1]: Stopping Zabbix MySQL Proxy Agent...
Oct 11 15:30:53 rhel70 systemd[1]: Stopped Zabbix MySQL Proxy Agent.
# service zabbix-proxy start
Redirecting to /bin/systemctl start  zabbix-proxy.service
# service zabbix-proxy status
Redirecting to /bin/systemctl status  zabbix-proxy.service
zabbix-proxy-mysql.service - Zabbix MySQL Proxy Agent
   Loaded: loaded (/usr/lib/systemd/system/zabbix-proxy-mysql.service; disabled)
   Active: active (exited) since Fri 2013-10-11 15:34:34 CEST; 1s ago
  Process: 21665 ExecStart=/usr/sbin/zabbix_proxy (code=exited, status=0/SUCCESS)
 Main PID: 21665 (code=exited, status=0/SUCCESS)

Oct 11 15:34:34 rhel70 systemd[1]: Started Zabbix MySQL Proxy Agent.
# ps -efZ | grep zabbix
system_u:system_r:init_t:s0     zabbixs+ 21667     1  0 15:34 ?        00:00:00 /usr/sbin/zabbix_proxy
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21681 21542  0 15:34 pts/0 00:00:00 grep --color=auto zabbix
#

Actual results:
 * zabbix-proxy runs as init_t

Expected results:
 * zabbix-proxy runs in its own SELinux domain
Comment 1 Miroslav Grepl 2013-10-16 09:05:29 UTC 
Ok, the question is how we should label it. Basically I believe we should stay just with zabbix_t for all zabbix services/agents.

Milos,
could you test it with zabbix_exec_t labeling?


commit b448ce2e0caeb2a6f0c8a673434bf58305bfcc55
Author: Miroslav Grepl <mgrepl>
Date:   Wed Oct 16 11:04:23 2013 +0200

    Add labels for zabbix-poxy-* (#1018221)
Comment 2 Milos Malik 2013-10-16 10:38:28 UTC 
When /usr/sbin/zabbix_proxy_mysql is labeled zabbix_exec_t then "service zabbix-proxy start" triggers following AVC in enforcing mode:

----
type=PATH msg=audit(10/16/2013 12:33:12.146:1372) : item=0 name=/sys/devices/system/cpu inode=33 dev=00:0f mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 objtype=NORMAL 
type=CWD msg=audit(10/16/2013 12:33:12.146:1372) :  cwd=/ 
type=SYSCALL msg=audit(10/16/2013 12:33:12.146:1372) : arch=x86_64 syscall=openat success=no exit=-13(Permission denied) a0=0xffffffffffffff9c a1=0x383d37c900 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=27495 pid=27496 auid=unset uid=zabbixsrv gid=zabbix euid=zabbixsrv suid=zabbixsrv fsuid=zabbixsrv egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null) 
type=AVC msg=audit(10/16/2013 12:33:12.146:1372) : avc:  denied  { read } for  pid=27496 comm=zabbix_proxy name=cpu dev="sysfs" ino=33 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
----

The same AVC appears in permissive mode too:

----
type=PATH msg=audit(10/16/2013 12:37:13.905:1390) : item=0 name=/sys/devices/system/cpu inode=33 dev=00:0f mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 objtype=NORMAL 
type=CWD msg=audit(10/16/2013 12:37:13.905:1390) :  cwd=/ 
type=SYSCALL msg=audit(10/16/2013 12:37:13.905:1390) : arch=x86_64 syscall=openat success=yes exit=4 a0=0xffffffffffffff9c a1=0x383d37c900 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=27657 auid=unset uid=zabbixsrv gid=zabbix euid=zabbixsrv suid=zabbixsrv fsuid=zabbixsrv egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null) 
type=AVC msg=audit(10/16/2013 12:37:13.905:1390) : avc:  denied  { read } for  pid=27657 comm=zabbix_proxy name=cpu dev="sysfs" ino=33 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
----
Comment 3 Miroslav Grepl 2013-10-16 11:23:55 UTC 
Which is going to be fixed with zabbix_domain attribute.
Comment 6 Miroslav Grepl 2013-10-18 12:05:54 UTC 
Are you able to reproduce it? Basically this is probably caused on restart these services or 

# ps -eZ |grep init_t
Comment 7 Milos Malik 2013-10-18 12:54:27 UTC 
You're right, there was an zabbix_proxy process running as init_t.
Comment 9 Ludek Smid 2014-06-13 09:33:28 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.