Hide Forgot
Description of problem: # rpm -qla zabbix-proxy\* | grep sbin | xargs matchpathcon /usr/sbin/zabbix_proxy system_u:object_r:bin_t:s0 /usr/sbin/zabbix_proxy_mysql system_u:object_r:bin_t:s0 /usr/sbin/zabbix_proxy_sqlite3 system_u:object_r:bin_t:s0 /usr/sbin/zabbix_proxy_pgsql system_u:object_r:bin_t:s0 # Version-Release number of selected component (if applicable): selinux-policy-3.12.1-86.el7.noarch selinux-policy-doc-3.12.1-86.el7.noarch selinux-policy-minimum-3.12.1-86.el7.noarch selinux-policy-mls-3.12.1-86.el7.noarch selinux-policy-targeted-3.12.1-86.el7.noarch zabbix-proxy-2.0.6-3.fc19.x86_64 zabbix-proxy-mysql-2.0.6-3.fc19.x86_64 zabbix-proxy-pgsql-2.0.6-3.fc19.x86_64 zabbix-proxy-sqlite3-2.0.6-3.fc19.x86_64 How reproducible: always Steps to Reproduce: # service zabbix-proxy status Redirecting to /bin/systemctl status zabbix-proxy.service zabbix-proxy-mysql.service - Zabbix MySQL Proxy Agent Loaded: loaded (/usr/lib/systemd/system/zabbix-proxy-mysql.service; disabled) Active: inactive (dead) Oct 08 23:35:26 rhel70 systemd[1]: Stopping Zabbix MySQL Proxy Agent... Oct 08 23:35:28 rhel70 systemd[1]: Stopped Zabbix MySQL Proxy Agent. Oct 08 23:36:26 rhel70 systemd[1]: Starting Zabbix MySQL Proxy Agent... Oct 08 23:36:26 rhel70 systemd[1]: Started Zabbix MySQL Proxy Agent. Oct 11 15:21:40 rhel70 systemd[1]: Stopping Zabbix MySQL Proxy Agent... Oct 11 15:21:42 rhel70 systemd[1]: Stopped Zabbix MySQL Proxy Agent. Oct 11 15:21:45 rhel70 systemd[1]: Starting Zabbix MySQL Proxy Agent... Oct 11 15:21:45 rhel70 systemd[1]: Started Zabbix MySQL Proxy Agent. Oct 11 15:30:51 rhel70 systemd[1]: Stopping Zabbix MySQL Proxy Agent... Oct 11 15:30:53 rhel70 systemd[1]: Stopped Zabbix MySQL Proxy Agent. # service zabbix-proxy start Redirecting to /bin/systemctl start zabbix-proxy.service # service zabbix-proxy status Redirecting to /bin/systemctl status zabbix-proxy.service zabbix-proxy-mysql.service - Zabbix MySQL Proxy Agent Loaded: loaded (/usr/lib/systemd/system/zabbix-proxy-mysql.service; disabled) Active: active (exited) since Fri 2013-10-11 15:34:34 CEST; 1s ago Process: 21665 ExecStart=/usr/sbin/zabbix_proxy (code=exited, status=0/SUCCESS) Main PID: 21665 (code=exited, status=0/SUCCESS) Oct 11 15:34:34 rhel70 systemd[1]: Started Zabbix MySQL Proxy Agent. # ps -efZ | grep zabbix system_u:system_r:init_t:s0 zabbixs+ 21667 1 0 15:34 ? 00:00:00 /usr/sbin/zabbix_proxy unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21681 21542 0 15:34 pts/0 00:00:00 grep --color=auto zabbix # Actual results: * zabbix-proxy runs as init_t Expected results: * zabbix-proxy runs in its own SELinux domain
Ok, the question is how we should label it. Basically I believe we should stay just with zabbix_t for all zabbix services/agents. Milos, could you test it with zabbix_exec_t labeling? commit b448ce2e0caeb2a6f0c8a673434bf58305bfcc55 Author: Miroslav Grepl <mgrepl> Date: Wed Oct 16 11:04:23 2013 +0200 Add labels for zabbix-poxy-* (#1018221)
When /usr/sbin/zabbix_proxy_mysql is labeled zabbix_exec_t then "service zabbix-proxy start" triggers following AVC in enforcing mode: ---- type=PATH msg=audit(10/16/2013 12:33:12.146:1372) : item=0 name=/sys/devices/system/cpu inode=33 dev=00:0f mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 objtype=NORMAL type=CWD msg=audit(10/16/2013 12:33:12.146:1372) : cwd=/ type=SYSCALL msg=audit(10/16/2013 12:33:12.146:1372) : arch=x86_64 syscall=openat success=no exit=-13(Permission denied) a0=0xffffffffffffff9c a1=0x383d37c900 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=27495 pid=27496 auid=unset uid=zabbixsrv gid=zabbix euid=zabbixsrv suid=zabbixsrv fsuid=zabbixsrv egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null) type=AVC msg=audit(10/16/2013 12:33:12.146:1372) : avc: denied { read } for pid=27496 comm=zabbix_proxy name=cpu dev="sysfs" ino=33 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir ---- The same AVC appears in permissive mode too: ---- type=PATH msg=audit(10/16/2013 12:37:13.905:1390) : item=0 name=/sys/devices/system/cpu inode=33 dev=00:0f mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 objtype=NORMAL type=CWD msg=audit(10/16/2013 12:37:13.905:1390) : cwd=/ type=SYSCALL msg=audit(10/16/2013 12:37:13.905:1390) : arch=x86_64 syscall=openat success=yes exit=4 a0=0xffffffffffffff9c a1=0x383d37c900 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=27657 auid=unset uid=zabbixsrv gid=zabbix euid=zabbixsrv suid=zabbixsrv fsuid=zabbixsrv egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null) type=AVC msg=audit(10/16/2013 12:37:13.905:1390) : avc: denied { read } for pid=27657 comm=zabbix_proxy name=cpu dev="sysfs" ino=33 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir ----
Which is going to be fixed with zabbix_domain attribute.
Are you able to reproduce it? Basically this is probably caused on restart these services or # ps -eZ |grep init_t
You're right, there was an zabbix_proxy process running as init_t.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.