Bug 1244009
| Summary: | zabbix icmpping check triggers fping avc denial | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Orion Poplawski <orion> |
| Component: | zabbix22 | Assignee: | Volker Fröhlich <volker27> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | epel7 | CC: | brett.lentz, dan, lvrabec, mmalik, nelsonab, orion, plautrba, pvrabec, rhbz, ssekidde, volker27 |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-21 01:57:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1393066 | ||
Still present in selinux-policy-3.13.1-60.el7_2.3.noarch This is pretty easy to work around: sudo install -d -o zabbixsrv -g zabbixsrv -m 750 /var/tmp/zabbixsrv sudo chcon -u system_u -t zabbix_tmp_t /var/tmp/zabbixsrv sed -i.bak -E 's@^(#\s*)?TmpDir=.*@TmpDir=/var/tmp/zabbixsrv@' /etc/zabbix_server.conf The problem is fping runs in the ping_t domain, which has access to read/write files labeled zabbix_tmp_t but not zabbix_var_lib_t. Changing Zabbix to use a different directory with the correct label solves the problem. I see it more like issue with the zabbix package. There is a workaround or you can ship own local SELinux policy to fix this issue.
# cat pingzabbix.te
policy_module(pingzabbix, 1.0)
require {
type ping_t;
type zabbix_var_lib_t;
}
read_files_pattern(ping_t, zabbix_var_lib_t, zabbix_var_lib_t)
and run
# make -f /usr/share/selinux/devel/Makefile pingzabbix.pp
# semodule -i pingzabbix.pp
Thank you for your report.
Thanks. I've filed bug #1331591 against zabbix. I agree that the root of the problem is in the zabbix package, and that it is using the wrong location for its temporary directory. The solution cannot be completely implemented in the package, though, because even if the temporary directory is changed to /var/tmp/zabbixsrv, it will still not be labeled correctly. The policy needs at the very least a new default context and file transition to ensure the temporary directory gets labeled zabbix_tmp_t. Don't we still need selinux-policy to provide the proper default label for /var/tmp/zabbixsrv as is done with /var/tmp/abrt? It looks like the default label applied to /var/tmp/zabbixsrv is user_tmp_t, which has the proper rights per policy:
[root@c7-6000f4 ~]# sesearch -AC -s ping_t -t user_tmp_t -c file
Found 2 semantic av rules:
allow application_domain_type user_tmp_t : file { ioctl read write getattr lock append } ;
allow domain tmpfile : file { ioctl read getattr lock append } ;
That said, I do think it is more semantically correct to have /var/tmp/zabbixsrv labeled zabbix_tmp_t.
How is var/tmp/zabbixsrv created? That's a good question - at the moment it isn't but I think the proper way would be via systemd's tmpfiles facility. zabbix22 has been retired. |
Description of problem: In permissive: type=AVC msg=audit(1437080406.462:3394): avc: denied { read } for pid=8865 comm="fping" path="/var/lib/zabbixsrv/tmp/zabbix_server_7310.pinger" dev="dm-3" ino=67150564 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:zabbix_var_lib_t:s0 tclass=file type=AVC msg=audit(1437080406.464:3395): avc: denied { getattr } for pid=8865 comm="fping" path="/var/lib/zabbixsrv/tmp/zabbix_server_7310.pinger" dev="dm-3" ino=67150564 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:zabbix_var_lib_t:s0 tclass=file In enforcing I also see: type=AVC msg=audit(1437080351.171:3362): avc: denied { read } for pid=8811 comm="fping6" path="/var/lib/zabbixsrv/tmp/zabbix_server_7310.pinger" dev="dm-3" ino=67150564 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:zabbix_var_lib_t:s0 tclass=file Version-Release number of selected component (if applicable): zabbix22-server-2.2.9-1.el7.noarch selinux-policy-3.13.1-24.el7.noarch How reproducible: Everything Steps to Reproduce: 1. Configure host with icmpping[] check in zabbix.