Bug 1488191

Summary: SELinux is preventing sh from 'read, open' accesses on the file /usr/bin/sudo
Product: Red Hat Enterprise Linux 7 Reporter: Feigelman Evgeny <namlegief>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: lvrabec, mgrepl, mmalik, plautrba, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-26 12:08:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Feigelman Evgeny 2017-09-04 15:47:30 UTC 
Description of problem:
Some Zabbix functions doesn't working .

Version-Release number of selected component (if applicable):

3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

selinux-policy-3.13.1-102.el7_3.16.noarch

Zabbix 3.2



How reproducible: 


Steps to Reproduce:
1.Enter Zabbix 
2.Chose 1 host from Last 20 Issues 
3.Left click ,in scripts choose traceroute .

Actual results:

Traceroute
/bin/traceroute 192.168.1.1 (Any address)
 
sh: /bin/traceroute: Permission denied


Expected results:
Traceroute Succeeded



Additional info:

Sep  4 18:21:18 zabbix python: SELinux is preventing sh from 'read, open' accesses on the file /usr/bin/sudo.#012#012*****  Plugin catchall (100. confidence) suggests   **************************                                          #012#012If you believe that sh should be allowed read open access on the sudo file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this acc                                          ess.#012Do#012allow this access for now by executing:#012# ausearch -c 'sh' --raw | audit2allow -M my-sh#012# semodule -i my-sh.pp#012
When i trying generate local policy by :
# ausearch -c 'sh' --raw | audit2allow -M my-sh
i getting this error :
libsepol.sepol_string_to_security_class: unrecognized class file

****

SELinux is preventing sh from 'read, open' accesses on the file /usr/bin/sudo.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sh should be allowed read open access on the sudo file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sh' --raw | audit2allow -M my-sh
# semodule -i my-sh.pp


Additional Information:
Source Context                system_u:system_r:zabbix_t:s0
Target Context                system_u:object_r:sudo_exec_t:s0
Target Objects                /usr/bin/sudo [ file ]
Source                        sh
Source Path                   sh
Port                          <Unknown>
Host                          zabbix.localdomain
Source RPM Packages
Target RPM Packages           sudo-1.8.6p7-23.el7_3.x86_64
Policy RPM                    selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     zabbix.localdomain
Platform                      Linux zabbix.localdomain
                              3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4
                              15:04:05 UTC 2017 x86_64 x86_64
Alert Count                   3
First Seen                    2017-09-04 10:31:04 IDT
Last Seen                     2017-09-04 18:21:14 IDT
Local ID                      9e7a1779-af5a-4465-bee6-e292337b5a2e

Raw Audit Messages
type=AVC msg=audit(1504538474.454:112): avc:  denied  { read open } for  pid=2757 comm="sh" path="/usr/bin/sudo" dev="dm-0" ino=50778896 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:o                                          bject_r:sudo_exec_t:s0 tclass=file


Hash: sh,zabbix_t,sudo_exec_t,file,read,open
Comment 3 Milos Malik 2018-06-26 12:06:55 UTC 
I believe it's fixed already:

# rpm -qa selinux-policy\*
selinux-policy-devel-3.13.1-204.el7.noarch
selinux-policy-doc-3.13.1-204.el7.noarch
selinux-policy-mls-3.13.1-204.el7.noarch
selinux-policy-targeted-3.13.1-204.el7.noarch
selinux-policy-3.13.1-204.el7.noarch
selinux-policy-sandbox-3.13.1-204.el7.noarch
selinux-policy-minimum-3.13.1-204.el7.noarch
# sesearch -s zabbix_t -t sudo_exec_t -c file -A -C
Found 1 semantic av rules:
DT allow zabbix_t sudo_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ; [ zabbix_run_sudo ]
#
Comment 4 Lukas Vrabec 2018-06-26 12:08:47 UTC 

*** This bug has been marked as a duplicate of bug 1347052 ***