Bug 1032691 - [selinux policy] Zabbix agent monitoring access denied
[selinux policy] Zabbix agent monitoring access denied
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
x86_64 Linux
high Severity high
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
: 1059979 (view as bug list)
Depends On: 1038237
Blocks: 1034076 1039851
  Show dependency treegraph
 
Reported: 2013-11-20 10:23 EST by Kenny Woodson
Modified: 2014-10-14 03:58 EDT (History)
27 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-251.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1034076 1039851 (view as bug list)
Environment:
Last Closed: 2014-10-14 03:58:04 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kenny Woodson 2013-11-20 10:23:10 EST
Description of problem:

We updated to RHEL 6.5 in our integration environment.  We noticed that the zabbix user which monitors openshift was incorrectly reporting on some of the simple items of process watching.

Upon further investigation we noticed selinux denials in the audit log.

type=AVC msg=audit(1384958942.913:419876): avc:  denied  { read } for  id=432525 comm="zabbix_agentd" name="online" dev=sysfs ino=23 context=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1384958942.913:419876): arch=c000003e syscall=2 success=no exit=-13 a0=30005592b8 a1=80000 a2=1fffea55624b a3=2 items=1 ppid=432522 pid=432525 auid=641 uid=428 gid=426 euid=428 suid=428 fsuid=428 egid=426 sgid=426 fsgid=426 tty=(none) ses=3034 comm="zabbix_agentd" exe="/usr/sbin/zabbix_agentd" subj=unconfined_u:system_r:zabbix_agent_t:s0 key=(null)
type=CWD msg=audit(1384958942.913:419876):  cwd="/" type=PATH msg=audit(1384958942.913:419876): item=0 name="/sys/devices/system/cpu/online" inode=23 dev=00:00 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL
type=CRED_DISP msg=audit(1384958943.149:419877): user pid=432972 uid=0 auid=0 ses=3165 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="527aff0703ef64932f0000bf" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1384958943.149:419878): user pid=432972 uid=0 auid=0 ses=3165 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="527aff0703ef64932f0000bf" exe="/sbin/runuser" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1384958943.166:419879): user pid=432844 uid=0 auid=0 ses=3165 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1384958943.166:419880): user pid=432844 uid=0 auid=0 ses=3165 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=AVC msg=audit(1384958943.607:419881): avc:  denied  { read } for  pid=432528 comm="zabbix_agentd" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1384958943.607:419881): arch=c000003e syscall=2 success=no exit=-13 a0=30005592b8 a1=80000 a2=1fffea55624b a3=2 items=1 ppid=432522 pid=432528 auid=641 uid=428 gid=426 euid=428 suid=428 fsuid=428 egid=426 sgid=426 fsgid=426 tty=(none) ses=3034 comm="zabbix_agentd" exe="/usr/sbin/zabbix_agentd" subj=unconfined_u:system_r:zabbix_agent_t:s0 key=(null)

Version-Release number of selected component (if applicable):
2.0.36

How reproducible:
Every time.

Steps to Reproduce:
1. Upgrade a host to rhel 6.5.
2. Check the /var/log/audit.log to see denial messages for zabbix.
3. 

Actual results:

Errors seen.

Expected results:

This should work.

Additional info:

I believe the zabbix_agent_t does not have access to the openshift_t label.  On a side note, I saw this specifically when restarting the zabbix agent process:

[root@ex-std-node1.int zabbix]# /etc/init.d/zabbix-agent restart
Shutting down ZABBIX agent:                                [  OK  ]
Starting ZABBIX agent: zabbix_agentd [465870]: /etc/zabbix/zabbix_agentd.d: [13] Permission denied

                                                           [  OK  ]



-----
Notice the permission denied.  This is probably related.
Comment 1 Eric Paris 2013-11-22 11:29:33 EST
looks like the zabbix agent is trying to open name=/sys/devices/system/cpu/online

is this expected, probably is a simple policy fix when mgrepl gets back next week...
Comment 3 Miroslav Grepl 2013-11-25 03:41:12 EST
Basically we need to update the zabbix policy by

$ cat myzabbix.te
policy_module(myzabbix, 1.0)

require{
 type zabbix_agent_t;
}

domain_read_all_domain_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t))
Comment 5 Simon Sekidde 2013-11-27 09:37:35 EST
(In reply to Miroslav Grepl from comment #3)
> Basically we need to update the zabbix policy by
> 
> $ cat myzabbix.te
> policy_module(myzabbix, 1.0)
> 
> require{
>  type zabbix_agent_t;
> }
> 
> domain_read_all_domain_state(zabbix_agent_t)
> dev_read_sysfs(zabbix_agent_t))

$ cat myzabbix.te
policy_module(myzabbix, 1.0)

require{
 type zabbix_agent_t;
}

domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)
Comment 6 Okun Sergey 2013-12-09 07:39:22 EST
After using this code we still have such errors:

type=AVC msg=audit(1386334625.138:81637): avc:  denied  { read } for  pid=4570 comm="zabbix_agentd" name="dev" dev=proc ino=4026531981 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

type=SYSCALL msg=audit(1386334625.138:81637): arch=c000003e syscall=2 success=no exit=-13 a0=42e286 a1=0 a2=1b6 a3=0 items=0 ppid=4565 pid=4570 auid=503 uid=494 gid=496 euid=494 suid=494 fsuid=494 egid=496 sgid=496 fsgid=496 tty=(none) ses=3033 comm="zabbix_agentd" exe="/usr/sbin/zabbix_agentd" subj=unconfined_u:system_r:zabbix_agent_t:s0 key=(null)

I think it's our custom items from /proc/diskstats.
Comment 7 Miroslav Grepl 2013-12-09 16:29:53 EST
Ok, you need to update to 

$ cat myzabbix.te
policy_module(myzabbix, 1.0)

require{
 type zabbix_agent_t;
}

kernel_read_network_state(zabbix_agent_t)
domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)
Comment 8 Kenny Woodson 2013-12-09 17:28:12 EST
We ran this on our zabbix server as it requires the use of fping in order to perform agent checks correctly.

Miroslav recommended this latest version in our conversation over IRC.  The zabbix_t, zabbix_tmp_t, and ping_t changes are specifically for the zabbix server.

$ cat /usr/share/selinux/devel/myzabbix.te
policy_module(myzabbix, 1.0)

require{
 type zabbix_agent_t;
 type zabbix_t;
 type ping_t;
 type zabbix_tmp_t;
}

allow ping_t zabbix_tmp_t:file read_file_perms;
allow ping_t zabbix_t:tcp_socket { read write };

kernel_read_network_state(zabbix_agent_t)
domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)
Comment 9 Fabian Arrotin 2013-12-10 05:52:57 EST
Just to add that zabbix_agent_t also need network access when using the 	net.tcp.service zabbix item (network port check), so I modified the previous .te like this : 

policy_module(zabbix-fix, 1.0)

require{
 type zabbix_agent_t;
 type zabbix_t;
 type ping_t;
 type zabbix_tmp_t;
}

allow ping_t zabbix_tmp_t:file read_file_perms;
allow ping_t zabbix_t:tcp_socket { read write };

kernel_read_network_state(zabbix_agent_t)
domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)
corenet_tcp_connect_all_ports(zabbix_agent_t)
Comment 10 Tats Shibata 2013-12-15 09:58:45 EST
I still have the below errors.
/usr/lib/zabbix/externalscripts is a default path of Zabbix's official RPM.

type=AVC msg=audit(1387044005.378:268): avc:  denied  { search } for  pid=1989 comm="zabbix_server" name="/" dev="dm-9" ino=2 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1387044119.822:292): avc:  denied  { execute } for  pid=3876 comm="sh" name="sendmail.postfix" dev="dm-0" ino=12139 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=AVC msg=audit(1387045941.87:391): avc:  denied  { execute_no_trans } for pid=6774 comm="sh" path="/usr/lib/zabbix/externalscripts/ssl-cert-check.sh" dev="dm-0" ino=24391 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1387045941.131:392): avc:  denied  { getattr } for  pid=6788 comm="which" path="/bin/mailx" dev="dm-0" ino=39097 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Comment 11 Volker Fröhlich 2013-12-15 15:09:36 EST
Where "official" is what zabbix.com ships. They are not following packaging guidelines.
Comment 12 Miroslav Grepl 2013-12-16 02:31:36 EST
Are all these AVC msgs caused by these scripts?

/usr/lib/zabbix/externalscripts
Comment 13 Tuomo Soini 2013-12-16 02:37:28 EST
Note: Fedora zabbix and epel6 zabbix20 point to /var/lib/zabbix/externalscripts
Comment 14 Tats Shibata 2013-12-16 11:00:09 EST
I've seen the conf/zabbix_server.conf in the latest source code. There is no indicated value for ExternalScripts. I think the added value into Zabbix SIA's RPM (zabbix-server-2.2.1-1.el6.x86_64.rpm), /usr/lib/externalscripts is not good. That means this would be Zabbix SIA's RPM issue, not selinux-policy.

sendmail_exec_t:file { getattr } was called from /usr/lib/zabbix/externalscripts/ssl-cert-check.sh. Please ignore it.

home_root_t:dir { search } and sendmail_exec_t:file { execute } are not related to /usr/lib/zabbix/externalscripts. The occurrence times are different from /usr/lib/externlscripts one.
Comment 15 Volker Fröhlich 2013-12-16 15:11:29 EST
Well, they are using a pseudo-placeholder there, but it's commented out:

# ExternalScripts=${datadir}/zabbix/externalscripts

However, server and proxy use a hardcoded

CONFIG_EXTERNALSCRIPTS = zbx_strdup(CONFIG_EXTERNALSCRIPTS, DATADIR "/zabbix/externalscripts");

The Fedora/EPEL packages have the same hard-coded values, but override them in the configuration files. As you already concluded, this is not a SELinux issue.
Comment 16 Volker Fröhlich 2014-01-31 02:38:56 EST
*** Bug 1059979 has been marked as a duplicate of this bug. ***
Comment 20 Lukas Vrabec 2014-08-15 07:33:27 EDT
back ported.
Comment 23 errata-xmlrpc 2014-10-14 03:58:04 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html

Note You need to log in before you can comment on or make changes to this bug.