Bug 1347052 - SELinux prevents zabbix_agent from running sudo
Summary: SELinux prevents zabbix_agent from running sudo
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Keywords:
: 1488191 1529742 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-15 22:36 UTC by Orion Poplawski
Modified: 2018-11-12 14:10 UTC (History)
10 users (show)

(edit)
A new SELinux boolean called zabbix_run_sudo was introduced so that system administrator can decide if such use case should be allowed or not.
Clone Of:
(edit)
Last Closed: 2018-10-30 09:59:15 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:00 UTC
Red Hat Knowledge Base (Article) 3685231 None None None 2018-11-12 14:10 UTC

Description Orion Poplawski 2016-06-15 22:36:00 UTC
Description of problem:

I need to have zabbix_agent run sudo, but selinux prevents this.

type=AVC msg=audit(1466030121.398:258278): avc:  denied  { execute } for  pid=995 comm="sh" name="sudo" dev="dm-3" ino=6742310 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.398:258278): avc:  denied  { execute_no_trans } for  pid=995 comm="sh" path="/usr/bin/sudo" dev="dm-3" ino=6742310 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.407:258279): avc:  denied  { create } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1466030121.408:258280): avc:  denied  { connect } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1466030121.408:258280): avc:  denied  { write } for  pid=995 comm="sudo" name="log" dev="devtmpfs" ino=14365 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=AVC msg=audit(1466030121.408:258280): avc:  denied  { sendto } for  pid=995 comm="sudo" path="/dev/log" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1466030121.408:258281): avc:  denied  { create } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1466030121.408:258282): avc:  denied  { nlmsg_relay } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1466030121.408:258282): avc:  denied  { audit_write } for  pid=995 comm="sudo" capability=29  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
type=AVC msg=audit(1466030121.410:258285): avc:  denied  { sys_resource } for  pid=995 comm="sudo" capability=24  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
type=AVC msg=audit(1466030121.411:258287): avc:  denied  { execute } for  pid=996 comm="sudo" name="lvm" dev="dm-3" ino=9001253 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.411:258287): avc:  denied  { execute_no_trans } for  pid=996 comm="sudo" path="/usr/sbin/lvm" dev="dm-3" ino=9001253 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.414:258288): avc:  denied  { read } for  pid=996 comm="lvs" name="lvm.conf" dev="dm-3" ino=12691734 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1466030121.414:258288): avc:  denied  { open } for  pid=996 comm="lvs" path="/etc/lvm/lvm.conf" dev="dm-3" ino=12691734 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1466030121.416:258289): avc:  denied  { write } for  pid=996 comm="lvs" name="lvmetad.socket" dev="tmpfs" ino=11199 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1466030121.416:258289): avc:  denied  { connectto } for  pid=996 comm="lvs" path="/run/lvm/lvmetad.socket" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1466030121.422:258290): avc:  denied  { write } for  pid=996 comm="lvs" name="lvm" dev="tmpfs" ino=8436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir
type=AVC msg=audit(1466030121.422:258291): avc:  denied  { add_name } for  pid=996 comm="lvs" name="V_vg_root:aux" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir
type=AVC msg=audit(1466030121.422:258291): avc:  denied  { create } for  pid=996 comm="lvs" name="V_vg_root:aux" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.422:258291): avc:  denied  { read append open } for  pid=996 comm="lvs" path="/run/lock/lvm/V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.422:258292): avc:  denied  { lock } for  pid=996 comm="lvs" path="/run/lock/lvm/V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.422:258293): avc:  denied  { remove_name } for  pid=996 comm="lvs" name="V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir
type=AVC msg=audit(1466030121.422:258293): avc:  denied  { unlink } for  pid=996 comm="lvs" name="V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.424:258294): avc:  denied  { read } for  pid=996 comm="lvs" name="b8:0" dev="tmpfs" ino=15773 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file
type=AVC msg=audit(1466030121.424:258294): avc:  denied  { open } for  pid=996 comm="lvs" path="/run/udev/data/b8:0" dev="tmpfs" ino=15773 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file
type=AVC msg=audit(1466030121.428:258295): avc:  denied  { read write } for  pid=996 comm="lvs" name="control" dev="devtmpfs" ino=18443 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1466030121.428:258295): avc:  denied  { open } for  pid=996 comm="lvs" path="/dev/mapper/control" dev="devtmpfs" ino=18443 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1466030121.428:258296): avc:  denied  { ioctl } for  pid=996 comm="lvs" path="/dev/mapper/control" dev="devtmpfs" ino=18443 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1466030121.428:258297): avc:  denied  { ipc_info } for  pid=996 comm="lvs" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7_2.3.noarch

See also bug #1147706

Comment 1 Orion Poplawski 2016-06-15 22:42:47 UTC
Plus:

type=AVC msg=audit(1466030242.141:258345): avc:  denied  { sys_admin } for  pid=1150 comm="lvs" capability=21  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability

Comment 8 Lukas Vrabec 2018-06-10 20:13:08 UTC
*** Bug 1529742 has been marked as a duplicate of this bug. ***

Comment 10 Lukas Vrabec 2018-06-26 12:08:47 UTC
*** Bug 1488191 has been marked as a duplicate of this bug. ***

Comment 12 errata-xmlrpc 2018-10-30 09:59:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.