Bug 1683820

Summary: SELinux denied create sock for zabbix_server
Product: [Fedora] Fedora Reporter: Gwyn Ciesla <gwync>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 31CC: dwalsh, guard43ru, lvrabec, mmalik, nberrehouc, nknazeko, plautrba, ssekidde, vmojzis, volker27, zpytela
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.4-8.fc31 selinux-policy-3.14.4-50.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1658352 Environment:
Last Closed: 2020-04-02 09:54:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1658352    
Bug Blocks:    
Attachments:
Description Flags
Sealerts details none

Description Gwyn Ciesla 2019-02-27 21:51:32 UTC 
+++ This bug was initially created as a clone of Bug #1658352 +++

Description of problem:
zabbix-server can't start:
cat /var/log/zabbix/zabbix_server.log | grep "Cannot bind socket"
cannot start preprocessing service: Cannot bind socket to "/var/run/zabbix/zabbix_server_preprocessing.sock": [13] Permission denied.
cannot start alert manager service: Cannot bind socket to "/var/run/zabbix/zabbix_server_alerter.sock": [13] Permission denied.

cat /var/log/audit/audit.log | grep avc
type=AVC msg=audit(1544546167.438:8697): avc:  denied  { create } for  pid=18048 comm="zabbix_server" name="zabbix_server_alerter.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1544546167.442:8698): avc:  denied  { create } for  pid=18049 comm="zabbix_server" name="zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file permissive=0

Bug on zabbix bug-tracker
https://support.zabbix.com/browse/ZBX-14626

require {
type zabbix_var_run_t;
type zabbix_t;
class sock_file { create unlink };
class unix_stream_socket connectto;
}
Comment 1 Lukas Vrabec 2019-02-28 09:56:03 UTC 
commit 45d56256d411d9b6f205a10cc100c8c2171c4dc2 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Feb 28 10:00:36 2019 +0100

    Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820)
Comment 2 Gwyn Ciesla 2019-02-28 14:27:45 UTC 
Thank you! When might this find it's way into rawhide?
Comment 3 Lukas Vrabec 2019-02-28 14:43:21 UTC 
Hi, 

It should be part of the rawhide in next days or one week.
Comment 4 Gwyn Ciesla 2019-02-28 14:52:12 UTC 
Thank you!
Comment 5 Gwyn Ciesla 2019-03-13 15:29:20 UTC 
-51 doesn't seem to fix this issue, unless I set the context of the tmp dir and the socket files to system_u:object_r:zabbix_var_run_t:s0. Should this be done in the zabbix package or is an update to selinux-policy required?
Comment 6 Gwyn Ciesla 2019-03-13 15:32:04 UTC 
Oh, even that doesn't fix it completely. :/
Comment 7 Gwyn Ciesla 2019-04-08 14:14:56 UTC 
This release doesn't resolve the zabbix problem.
Comment 8 Zdenek Pytela 2019-04-08 14:27:49 UTC 
Gwyn,

I can confirm the permission from the bug description is present in the latest build:

# sesearch -A -s zabbix_t -t zabbix_var_run_t -c sock_file -p create
allow zabbix_t zabbix_var_run_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };

# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.14.4-8.fc31.noarch

Could you please share the AVC denials you have on your system, preferably making the zabbix_t domain permissive first?

semanage permissive -a zabbix_t
<reproduce the issue>
semanage permissive -d zabbix_t
ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
Comment 9 Gwyn Ciesla 2019-04-08 15:18:12 UTC 
sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
----
type=AVC msg=audit(04/08/2019 10:10:41.937:2426280) : avc:  denied  { getattr } for  pid=13772 comm=httpd path=/opt/r5/trac/trac/cgi-bin/trac.wsgi dev="md0" ino=209453539 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(04/08/2019 10:10:41.937:2426281) : avc:  denied  { read } for  pid=13772 comm=httpd name=trac.wsgi dev="md0" ino=209453539 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(04/08/2019 10:10:41.937:2426282) : avc:  denied  { open } for  pid=13772 comm=httpd path=/opt/r5/trac/trac/cgi-bin/trac.wsgi dev="md0" ino=209453539 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(04/08/2019 10:10:41.940:2426283) : avc:  denied  { write } for  pid=13772 comm=httpd name=trac.db dev="md0" ino=209453392 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(04/08/2019 10:10:41.941:2426284) : avc:  denied  { lock } for  pid=13772 comm=httpd path=/opt/r5/trac/trac/astblick/db/trac.db dev="md0" ino=209453392 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(04/08/2019 10:11:11.408:2426285) : avc:  denied  { lock } for  pid=13772 comm=httpd path=/opt/r5/trac/trac/astblick/db/trac.db dev="md0" ino=209453392 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(04/08/2019 10:11:11.408:2426286) : avc:  denied  { getattr } for  pid=13772 comm=httpd path=/opt/r5/trac/trac/astblick/db/trac.db dev="md0" ino=209453392 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 
----
type=USER_AVC msg=audit(04/08/2019 10:13:24.256:2426309) : pid=784 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/08/2019 10:14:41.298:2426319) : pid=784 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=10)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/08/2019 10:15:53.233:2426329) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/08/2019 10:15:53.233:2426330) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=10)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=AVC msg=audit(04/08/2019 10:16:01.803:2426341) : avc:  denied  { write } for  pid=30306 comm=zabbix_server name=zabbix_server_alerter.sock dev="sda3" ino=6955140 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_lib_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(04/08/2019 10:16:02.004:2426342) : avc:  denied  { unlink } for  pid=30332 comm=zabbix_server name=zabbix_server_alerter.sock dev="sda3" ino=6955140 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_lib_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(04/08/2019 10:16:02.013:2426343) : avc:  denied  { create } for  pid=30332 comm=zabbix_server name=zabbix_server_alerter.sock scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_lib_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(04/08/2019 10:16:02.019:2426344) : avc:  denied  { connectto } for  pid=30336 comm=zabbix_server path=/var/lib/zabbixsrv/tmp/zabbix_server_preprocessing.sock scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(04/08/2019 10:16:07.115:2426351) : avc:  denied  { write } for  pid=30321 comm=zabbix_server name=zabbix_server_preprocessing.sock dev="sda3" ino=6955042 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_lib_t:s0 tclass=sock_file permissive=1 
----
type=USER_AVC msg=audit(04/08/2019 10:17:24.976:2426359) : pid=784 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=11)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
Comment 10 Gwyn Ciesla 2019-04-26 15:12:29 UTC 
Still a problem with 4.2.1.
Comment 11 Ben Cotton 2019-08-13 17:05:43 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.
Comment 12 Ben Cotton 2019-08-13 19:25:20 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.
Comment 13 Nikola Knazekova 2019-09-03 15:24:55 UTC 
Hi Gwyn, 
in the first AVC messages, there is a problem with the wrong context of objects "admin_home_t". Files created in /root(/.*)? have context admin_home_t, and when they are moved to another directory, the SELinux label stored in extended attribute will not change. 
SELinux by default denies httpd process to access files with label admin_home_t. So restoring the wrong context is needed.
do:
$ restorecon /

I fixed other AVC messages: https://github.com/fedora-selinux/selinux-policy-contrib/pull/134

Niki
Comment 14 Gwyn Ciesla 2019-09-03 15:27:23 UTC 
Thank you!
Comment 15 Lukas Vrabec 2019-09-04 09:07:38 UTC 
PR merged. 

Thanks!
Comment 16 Fedora Update System 2019-09-05 06:50:53 UTC 
FEDORA-2019-ebfc4df1ad has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ebfc4df1ad
Comment 17 Fedora Update System 2019-09-05 10:52:08 UTC 
selinux-policy-3.14.4-32.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ebfc4df1ad
Comment 18 Fedora Update System 2019-09-16 07:05:31 UTC 
FEDORA-2019-8169f4e6b7 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8169f4e6b7
Comment 19 Fedora Update System 2019-09-17 02:14:17 UTC 
selinux-policy-3.14.4-33.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8169f4e6b7
Comment 20 Nicolas Berrehouc 2019-12-02 14:36:37 UTC 
AVCs are presents in F30 too with selinux-policy-3.14.3-52.fc30.noarch but there is no new build to test for F30.
Comment 21 Nicolas Berrehouc 2019-12-07 15:35:01 UTC 
Could this patch be include in F30 selinux-policy package?

---
déc. 07 07:04:08 icaricio setroubleshoot[2205]: SELinux interdit à zabbix_server d'utiliser l'accès write sur le sock_file zabbix_server_alerter.sock.Pour des messages SELinux exhaustifs, lancez sealert -l dc11e8aa-34e3-4c84-b2f2-2054ae6a3bde
déc. 07 11:37:04 icaricio setroubleshoot[13196]: SELinux interdit à zabbix_server d'utiliser l'accès write sur le sock_file zabbix_server_preprocessing.sock.Pour des messages SELinux exhaustifs, lancez sealert -l dc11e8aa-34e3-4c84-b2f2-2054ae6a3bde
---


# sealert -l dc11e8aa-34e3-4c84-b2f2-2054ae6a3bde
SELinux interdit à zabbix_server d'utiliser l'accès write sur le sock_file zabbix_server_preprocessing.sock.

*****  Le greffon catchall (100. de confiance) suggère   *********************

Si vous pensez que zabbix_server devrait être autorisé à accéder write sur zabbix_server_preprocessing.sock sock_file par défaut.
Alors vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Faire
autoriser cet accès pour le moment en exécutant :
# ausearch -c "zabbix_server" --raw | audit2allow -M my-zabbixserver
# semodule -X 300 -i my-zabbixserver.pp


Informations complémentaires :
Contexte source               system_u:system_r:zabbix_t:s0
Contexte cible                system_u:object_r:tmp_t:s0
Objets du contexte            zabbix_server_preprocessing.sock [ sock_file ]
Source                        zabbix_server
Chemin de la source           zabbix_server
Port                          <Unknown>
Hôte                          icaricio
Paquets RPM source            
Paquets RPM cible             
RPM de la statégie            selinux-policy-3.14.3-53.fc30.noarch
Selinux activé                True
Type de stratégie             targeted
Mode strict                   Permissive
Nom de l'hôte                 icaricio
Plateforme                    Linux icaricio 5.3.13-200.fc30.x86_64 #1 SMP Mon
                              Nov 25 23:02:12 UTC 2019 x86_64 x86_64
Compteur d'alertes            16
Première alerte               2019-11-27 10:01:19 CET
Dernière alerte               2019-12-07 11:36:59 CET
ID local                      dc11e8aa-34e3-4c84-b2f2-2054ae6a3bde

Messages d'audit bruts 
type=AVC msg=audit(1575715019.357:236): avc:  denied  { write } for  pid=2174 comm="zabbix_server" name="zabbix_server_preprocessing.sock" dev="tmpfs" ino=33697 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1


Hash: zabbix_server,zabbix_t,tmp_t,sock_file,write
Comment 22 Fedora Admin XMLRPC Client 2020-01-23 16:24:43 UTC 
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.
Comment 23 Zdenek Pytela 2020-03-16 11:57:16 UTC 
Nicolas,

All changes related to zabbix seem to have been backported to F31 and F30. The temp file label though seems to be incorrect: can you locate the zabbix_server_preprocessing.sock file? It should get zabbix_tmp_t type.
Comment 24 Nicolas Berrehouc 2020-03-17 18:53:34 UTC 
My server has been migrated from F30 to F31 and I still have the same alerts.
Now I use selinux-policy-3.14.4-49.fc31.noarch and container-selinux-2.124.0-3.fc31.noarch.
After a SElinux relabel I can find AVC:

# LC_ALL=C ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(03/17/20 06:11:34.537:187) : avc:  denied  { create } for  pid=2034 comm=zabbix_server name=zabbix_server_preprocessing.sock scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(03/17/20 06:11:34.537:188) : avc:  denied  { write } for  pid=2036 comm=zabbix_server name=zabbix_server_preprocessing.sock dev="tmpfs" ino=37239 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(03/17/20 08:45:05.606:227) : avc:  denied  { write } for  pid=2021 comm=zabbix_server name=zabbix_server_preprocessing.sock dev="tmpfs" ino=37239 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1 

And in the /tmp/ directory:
# ls -alZ /tmp/zabbix_server_*
srwx------. 1 zabbixsrv zabbixsrv system_u:object_r:tmp_t:s0 0 17 mars  06:11 /tmp/zabbix_server_alerter.sock
srwx------. 1 zabbixsrv zabbixsrv system_u:object_r:tmp_t:s0 0 17 mars  06:11 /tmp/zabbix_server_preprocessing.sock


See Logs_20200317.txt for sealert details.
Comment 25 Nicolas Berrehouc 2020-03-17 18:54:51 UTC 
Created attachment 1670912 [details]
Sealerts details
Comment 26 Zdenek Pytela 2020-03-18 07:30:38 UTC 
Nicolas,

Thank you, in the policy there seem to be type transitions for plain files only:

# sesearch -T -s zabbix_t -t tmp_t
type_transition zabbix_t tmp_t:dir zabbix_tmp_t;
type_transition zabbix_t tmp_t:file zabbix_tmp_t;
Comment 27 Zdenek Pytela 2020-03-18 07:50:41 UTC 
I've submitted a new Fedora PR to address the issue:

https://github.com/fedora-selinux/selinux-policy-contrib/pull/221
Comment 28 Lukas Vrabec 2020-03-18 11:07:46 UTC 
commit ab515a173ec0966a0a4f4c2822d0cef77e2a10b7 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Wed Mar 18 08:34:21 2020 +0100

    Allow zabbix_t manage and filetrans temporary socket files
    
    Allow zabbix_t manage zabbix_tmp_t sock_files.
    Allow zabbix_t files_tmp_filetrans() also for sock_file class.
    
    Resolves: rhbz#1683820
Comment 29 Fedora Update System 2020-03-24 09:40:29 UTC 
FEDORA-2020-5afc749ee7 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5afc749ee7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5afc749ee7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 30 Nicolas Berrehouc 2020-03-25 18:53:20 UTC 
Works fine, no more AVC.

# ls -alZ /tmp/zabbix_server_*
srwx------. 1 zabbixsrv zabbixsrv system_u:object_r:zabbix_tmp_t:s0 0 24 mars  19:44 /tmp/zabbix_server_alerter.sock
srwx------. 1 zabbixsrv zabbixsrv system_u:object_r:zabbix_tmp_t:s0 0 24 mars  19:44 /tmp/zabbix_server_preprocessing.sock
Comment 31 Fedora Update System 2020-04-02 09:54:25 UTC 
FEDORA-2020-5afc749ee7 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.