Bug 1032691

Summary:	[selinux policy] Zabbix agent monitoring access denied
Product:	Red Hat Enterprise Linux 6	Reporter:	Kenny Woodson <kwoodson>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	high	Docs Contact:
Priority:	high
Version:	6.0	CC:	admiller, andrew, bugzilla, charles_sheridan, dwalsh, eparis, fabian.arrotin, jarlebo, jhonce, jtrowbri, klein.rfk, lucas.yamanishi, lvrabec, mdavis, mfojtik, mgrepl, mmalik, nicholas_schuetz, okun.sa, rene, ssekidde, thelan, timp87, tis, ts, volker27, wesley.schaft
Target Milestone:	rc
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.7.19-251.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	1034076 1039851 (view as bug list)		Environment:
Last Closed:	2014-10-14 07:58:04 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1038237
Bug Blocks:	1034076, 1039851

Description Kenny Woodson 2013-11-20 15:23:10 UTC

Description of problem:

We updated to RHEL 6.5 in our integration environment.  We noticed that the zabbix user which monitors openshift was incorrectly reporting on some of the simple items of process watching.

Upon further investigation we noticed selinux denials in the audit log.

type=AVC msg=audit(1384958942.913:419876): avc:  denied  { read } for  id=432525 comm="zabbix_agentd" name="online" dev=sysfs ino=23 context=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1384958942.913:419876): arch=c000003e syscall=2 success=no exit=-13 a0=30005592b8 a1=80000 a2=1fffea55624b a3=2 items=1 ppid=432522 pid=432525 auid=641 uid=428 gid=426 euid=428 suid=428 fsuid=428 egid=426 sgid=426 fsgid=426 tty=(none) ses=3034 comm="zabbix_agentd" exe="/usr/sbin/zabbix_agentd" subj=unconfined_u:system_r:zabbix_agent_t:s0 key=(null)
type=CWD msg=audit(1384958942.913:419876):  cwd="/" type=PATH msg=audit(1384958942.913:419876): item=0 name="/sys/devices/system/cpu/online" inode=23 dev=00:00 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL
type=CRED_DISP msg=audit(1384958943.149:419877): user pid=432972 uid=0 auid=0 ses=3165 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="527aff0703ef64932f0000bf" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1384958943.149:419878): user pid=432972 uid=0 auid=0 ses=3165 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="527aff0703ef64932f0000bf" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1384958943.166:419879): user pid=432844 uid=0 auid=0 ses=3165 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1384958943.166:419880): user pid=432844 uid=0 auid=0 ses=3165 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=AVC msg=audit(1384958943.607:419881): avc:  denied  { read } for  pid=432528 comm="zabbix_agentd" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1384958943.607:419881): arch=c000003e syscall=2 success=no exit=-13 a0=30005592b8 a1=80000 a2=1fffea55624b a3=2 items=1 ppid=432522 pid=432528 auid=641 uid=428 gid=426 euid=428 suid=428 fsuid=428 egid=426 sgid=426 fsgid=426 tty=(none) ses=3034 comm="zabbix_agentd" exe="/usr/sbin/zabbix_agentd" subj=unconfined_u:system_r:zabbix_agent_t:s0 key=(null)

Version-Release number of selected component (if applicable):
2.0.36

How reproducible:
Every time.

Steps to Reproduce:
1. Upgrade a host to rhel 6.5.
2. Check the /var/log/audit.log to see denial messages for zabbix.
3. 

Actual results:

Errors seen.

Expected results:

This should work.

Additional info:

I believe the zabbix_agent_t does not have access to the openshift_t label.  On a side note, I saw this specifically when restarting the zabbix agent process:

[root zabbix]# /etc/init.d/zabbix-agent restart
Shutting down ZABBIX agent:                                [  OK  ]
Starting ZABBIX agent: zabbix_agentd [465870]: /etc/zabbix/zabbix_agentd.d: [13] Permission denied

                                                           [  OK  ]



-----
Notice the permission denied.  This is probably related.

Comment 1 Eric Paris 2013-11-22 16:29:33 UTC

looks like the zabbix agent is trying to open name=/sys/devices/system/cpu/online

is this expected, probably is a simple policy fix when mgrepl gets back next week...

Comment 3 Miroslav Grepl 2013-11-25 08:41:12 UTC

Basically we need to update the zabbix policy by

$ cat myzabbix.te
policy_module(myzabbix, 1.0)

require{
 type zabbix_agent_t;
}

domain_read_all_domain_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t))

Comment 5 Simon Sekidde 2013-11-27 14:37:35 UTC

(In reply to Miroslav Grepl from comment #3)
> Basically we need to update the zabbix policy by
> 
> $ cat myzabbix.te
> policy_module(myzabbix, 1.0)
> 
> require{
>  type zabbix_agent_t;
> }
> 
> domain_read_all_domain_state(zabbix_agent_t)
> dev_read_sysfs(zabbix_agent_t))

$ cat myzabbix.te
policy_module(myzabbix, 1.0)

require{
 type zabbix_agent_t;
}

domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)

Comment 6 Okun Sergey 2013-12-09 12:39:22 UTC

After using this code we still have such errors:

type=AVC msg=audit(1386334625.138:81637): avc:  denied  { read } for  pid=4570 comm="zabbix_agentd" name="dev" dev=proc ino=4026531981 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

type=SYSCALL msg=audit(1386334625.138:81637): arch=c000003e syscall=2 success=no exit=-13 a0=42e286 a1=0 a2=1b6 a3=0 items=0 ppid=4565 pid=4570 auid=503 uid=494 gid=496 euid=494 suid=494 fsuid=494 egid=496 sgid=496 fsgid=496 tty=(none) ses=3033 comm="zabbix_agentd" exe="/usr/sbin/zabbix_agentd" subj=unconfined_u:system_r:zabbix_agent_t:s0 key=(null)

I think it's our custom items from /proc/diskstats.

Comment 7 Miroslav Grepl 2013-12-09 21:29:53 UTC

Ok, you need to update to 

$ cat myzabbix.te
policy_module(myzabbix, 1.0)

require{
 type zabbix_agent_t;
}

kernel_read_network_state(zabbix_agent_t)
domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)

Comment 8 Kenny Woodson 2013-12-09 22:28:12 UTC

We ran this on our zabbix server as it requires the use of fping in order to perform agent checks correctly.

Miroslav recommended this latest version in our conversation over IRC.  The zabbix_t, zabbix_tmp_t, and ping_t changes are specifically for the zabbix server.

$ cat /usr/share/selinux/devel/myzabbix.te
policy_module(myzabbix, 1.0)

require{
 type zabbix_agent_t;
 type zabbix_t;
 type ping_t;
 type zabbix_tmp_t;
}

allow ping_t zabbix_tmp_t:file read_file_perms;
allow ping_t zabbix_t:tcp_socket { read write };

kernel_read_network_state(zabbix_agent_t)
domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)

Comment 9 Fabian Arrotin 2013-12-10 10:52:57 UTC

Just to add that zabbix_agent_t also need network access when using the 	net.tcp.service zabbix item (network port check), so I modified the previous .te like this : 

policy_module(zabbix-fix, 1.0)

require{
 type zabbix_agent_t;
 type zabbix_t;
 type ping_t;
 type zabbix_tmp_t;
}

allow ping_t zabbix_tmp_t:file read_file_perms;
allow ping_t zabbix_t:tcp_socket { read write };

kernel_read_network_state(zabbix_agent_t)
domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)
corenet_tcp_connect_all_ports(zabbix_agent_t)

Comment 10 Tats Shibata 2013-12-15 14:58:45 UTC

I still have the below errors.
/usr/lib/zabbix/externalscripts is a default path of Zabbix's official RPM.

type=AVC msg=audit(1387044005.378:268): avc:  denied  { search } for  pid=1989 comm="zabbix_server" name="/" dev="dm-9" ino=2 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1387044119.822:292): avc:  denied  { execute } for  pid=3876 comm="sh" name="sendmail.postfix" dev="dm-0" ino=12139 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1387045941.87:391): avc:  denied  { execute_no_trans } for pid=6774 comm="sh" path="/usr/lib/zabbix/externalscripts/ssl-cert-check.sh" dev="dm-0" ino=24391 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1387045941.131:392): avc:  denied  { getattr } for  pid=6788 comm="which" path="/bin/mailx" dev="dm-0" ino=39097 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file

Comment 11 Volker Fröhlich 2013-12-15 20:09:36 UTC

Where "official" is what zabbix.com ships. They are not following packaging guidelines.

Comment 12 Miroslav Grepl 2013-12-16 07:31:36 UTC

Are all these AVC msgs caused by these scripts?

/usr/lib/zabbix/externalscripts

Comment 13 Tuomo Soini 2013-12-16 07:37:28 UTC

Note: Fedora zabbix and epel6 zabbix20 point to /var/lib/zabbix/externalscripts

Comment 14 Tats Shibata 2013-12-16 16:00:09 UTC

I've seen the conf/zabbix_server.conf in the latest source code. There is no indicated value for ExternalScripts. I think the added value into Zabbix SIA's RPM (zabbix-server-2.2.1-1.el6.x86_64.rpm), /usr/lib/externalscripts is not good. That means this would be Zabbix SIA's RPM issue, not selinux-policy.

sendmail_exec_t:file { getattr } was called from /usr/lib/zabbix/externalscripts/ssl-cert-check.sh. Please ignore it.

home_root_t:dir { search } and sendmail_exec_t:file { execute } are not related to /usr/lib/zabbix/externalscripts. The occurrence times are different from /usr/lib/externlscripts one.

Comment 15 Volker Fröhlich 2013-12-16 20:11:29 UTC

Well, they are using a pseudo-placeholder there, but it's commented out:

# ExternalScripts=${datadir}/zabbix/externalscripts

However, server and proxy use a hardcoded

CONFIG_EXTERNALSCRIPTS = zbx_strdup(CONFIG_EXTERNALSCRIPTS, DATADIR "/zabbix/externalscripts");

The Fedora/EPEL packages have the same hard-coded values, but override them in the configuration files. As you already concluded, this is not a SELinux issue.

Comment 16 Volker Fröhlich 2014-01-31 07:38:56 UTC

*** Bug 1059979 has been marked as a duplicate of this bug. ***

Comment 19 Miroslav Grepl 2014-07-30 11:46:32 UTC

We need to back port

https://github.com/selinux-policy/selinux-policy/commit/292def232e596b16cb239c9dcfca3b495e1a2439

https://github.com/selinux-policy/selinux-policy/commit/d67527f304a03a777cac6c226da6cd8d5ba738b4

Comment 20 Lukas Vrabec 2014-08-15 11:33:27 UTC

back ported.

Comment 23 errata-xmlrpc 2014-10-14 07:58:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html