Bug 1147706

Summary: RFE: Boolean to allow zabbix to run sudo
Product: Red Hat Enterprise Linux 6 Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.5CC: charles_sheridan, dwalsh, mmalik, ssekidde
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-30 03:27:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2014-09-29 22:48:09 UTC 
Description of problem:

In order to enable zabbix to monitor LVM thin pool usage, I needed to allow it to run lvs via sudo:

UserParameter=vfs.dev.lvm[*],/usr/bin/sudo -u root /sbin/lvs --noheadings -o $2 $1

This however was blocked by SELinux.  This seems to make it work:

module zabbix_sudo 1.0;

require {
        type sudo_exec_t;
        type zabbix_agent_t;
        class file { execute execute_no_trans };
}
#
##============= zabbix_agent_t ==============
allow zabbix_agent_t sudo_exec_t:file execute_no_trans;
allow zabbix_agent_t sudo_exec_t:file execute;

Perhaps a boolean similar to the zoneminder_run_sudo boolean could be added for this?

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-251.el6.noarch

Others are trying to do this as well: http://serverfault.com/questions/617696/selinux-blocking-sudo-from-zabbix-agentd
Comment 2 Milos Malik 2014-10-01 06:35:45 UTC 
# rpm -qa selinux-policy\*
selinux-policy-mls-3.7.19-260.el6.noarch
selinux-policy-targeted-3.7.19-260.el6.noarch
selinux-policy-doc-3.7.19-260.el6.noarch
selinux-policy-minimum-3.7.19-260.el6.noarch
selinux-policy-3.7.19-260.el6.noarch
# sesearch -s zabbix_agent_t -t sudo_exec_t -c file -A -C
Found 4 semantic av rules:
   allow zabbix_agent_t file_type : file getattr ; 
   allow zabbix_agent_t exec_type : file { ioctl read getattr lock open } ; 
   allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open } ; 
ET allow files_unconfined_type file_type : file execmod ; [ allow_execmod ]

#

The selinux-policy packages present in RHEL-6.6 fix the problem. Please see BZ#1081038.
Comment 3 Orion Poplawski 2014-10-03 18:47:47 UTC 
Can't see BZ#1081038 - not authorized.  But thanks for the update.
Comment 4 Simon Sekidde 2014-11-01 20:07:01 UTC 
(In reply to Orion Poplawski from comment #3)
> Can't see BZ#1081038 - not authorized.  But thanks for the update.

Orion, 

Can you verify with the latest RHEL6-6 policy 

 https://rhn.redhat.com/errata/RHBA-2014-1568.html
Comment 5 Orion Poplawski 2014-11-03 22:39:13 UTC 
Yes, appears to be working fine with -260.  Thanks.