1347052 – SELinux prevents zabbix_agent from running sudo

Bug 1347052 - SELinux prevents zabbix_agent from running sudo

Summary: SELinux prevents zabbix_agent from running sudo

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Duplicates (2):	1488191 1529742 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-15 22:36 UTC by Orion Poplawski
Modified:	2018-11-12 14:10 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.13.1-203.el7
Doc Type:	Release Note
Doc Text:	A new SELinux boolean called zabbix_run_sudo was introduced so that system administrator can decide if such use case should be allowed or not.
Clone Of:
Environment:
Last Closed:	2018-10-30 09:59:15 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3111	None	None	None	2018-10-30 10:00:02 UTC
Red Hat Knowledge Base (Article)	3685231	None	None	None	2018-11-12 14:10:47 UTC

Description Orion Poplawski 2016-06-15 22:36:00 UTC

Description of problem:

I need to have zabbix_agent run sudo, but selinux prevents this.

type=AVC msg=audit(1466030121.398:258278): avc:  denied  { execute } for  pid=995 comm="sh" name="sudo" dev="dm-3" ino=6742310 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.398:258278): avc:  denied  { execute_no_trans } for  pid=995 comm="sh" path="/usr/bin/sudo" dev="dm-3" ino=6742310 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.407:258279): avc:  denied  { create } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1466030121.408:258280): avc:  denied  { connect } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1466030121.408:258280): avc:  denied  { write } for  pid=995 comm="sudo" name="log" dev="devtmpfs" ino=14365 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=AVC msg=audit(1466030121.408:258280): avc:  denied  { sendto } for  pid=995 comm="sudo" path="/dev/log" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1466030121.408:258281): avc:  denied  { create } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1466030121.408:258282): avc:  denied  { nlmsg_relay } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1466030121.408:258282): avc:  denied  { audit_write } for  pid=995 comm="sudo" capability=29  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
type=AVC msg=audit(1466030121.410:258285): avc:  denied  { sys_resource } for  pid=995 comm="sudo" capability=24  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
type=AVC msg=audit(1466030121.411:258287): avc:  denied  { execute } for  pid=996 comm="sudo" name="lvm" dev="dm-3" ino=9001253 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.411:258287): avc:  denied  { execute_no_trans } for  pid=996 comm="sudo" path="/usr/sbin/lvm" dev="dm-3" ino=9001253 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.414:258288): avc:  denied  { read } for  pid=996 comm="lvs" name="lvm.conf" dev="dm-3" ino=12691734 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1466030121.414:258288): avc:  denied  { open } for  pid=996 comm="lvs" path="/etc/lvm/lvm.conf" dev="dm-3" ino=12691734 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1466030121.416:258289): avc:  denied  { write } for  pid=996 comm="lvs" name="lvmetad.socket" dev="tmpfs" ino=11199 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1466030121.416:258289): avc:  denied  { connectto } for  pid=996 comm="lvs" path="/run/lvm/lvmetad.socket" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1466030121.422:258290): avc:  denied  { write } for  pid=996 comm="lvs" name="lvm" dev="tmpfs" ino=8436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir
type=AVC msg=audit(1466030121.422:258291): avc:  denied  { add_name } for  pid=996 comm="lvs" name="V_vg_root:aux" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir
type=AVC msg=audit(1466030121.422:258291): avc:  denied  { create } for  pid=996 comm="lvs" name="V_vg_root:aux" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.422:258291): avc:  denied  { read append open } for  pid=996 comm="lvs" path="/run/lock/lvm/V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.422:258292): avc:  denied  { lock } for  pid=996 comm="lvs" path="/run/lock/lvm/V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.422:258293): avc:  denied  { remove_name } for  pid=996 comm="lvs" name="V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir
type=AVC msg=audit(1466030121.422:258293): avc:  denied  { unlink } for  pid=996 comm="lvs" name="V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.424:258294): avc:  denied  { read } for  pid=996 comm="lvs" name="b8:0" dev="tmpfs" ino=15773 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file
type=AVC msg=audit(1466030121.424:258294): avc:  denied  { open } for  pid=996 comm="lvs" path="/run/udev/data/b8:0" dev="tmpfs" ino=15773 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file
type=AVC msg=audit(1466030121.428:258295): avc:  denied  { read write } for  pid=996 comm="lvs" name="control" dev="devtmpfs" ino=18443 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1466030121.428:258295): avc:  denied  { open } for  pid=996 comm="lvs" path="/dev/mapper/control" dev="devtmpfs" ino=18443 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1466030121.428:258296): avc:  denied  { ioctl } for  pid=996 comm="lvs" path="/dev/mapper/control" dev="devtmpfs" ino=18443 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1466030121.428:258297): avc:  denied  { ipc_info } for  pid=996 comm="lvs" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7_2.3.noarch

See also bug #1147706

Comment 1 Orion Poplawski 2016-06-15 22:42:47 UTC

Plus:

type=AVC msg=audit(1466030242.141:258345): avc:  denied  { sys_admin } for  pid=1150 comm="lvs" capability=21  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability

Comment 8 Lukas Vrabec 2018-06-10 20:13:08 UTC

*** Bug 1529742 has been marked as a duplicate of this bug. ***

Comment 10 Lukas Vrabec 2018-06-26 12:08:47 UTC

*** Bug 1488191 has been marked as a duplicate of this bug. ***

Comment 12 errata-xmlrpc 2018-10-30 09:59:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.