Bug 1347052 – SELinux prevents zabbix_agent from running sudo

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1347052 - SELinux prevents zabbix_agent from running sudo

Summary:	SELinux prevents zabbix_agent from running sudo

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda

URL:
Whiteboard:
Keywords:

Duplicates:	1488191 1529742 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2016-06-15 18:36 EDT by Orion Poplawski
Modified:	2018-10-30 06:00 EDT (History)
CC List:	9 users (show)

See Also:
Fixed In Version:	selinux-policy-3.13.1-203.el7
Doc Type:	Release Note
Doc Text:	A new SELinux boolean called zabbix_run_sudo was introduced so that system administrator can decide if such use case should be allowed or not.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-10-30 05:59:15 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3111	None	None	None	2018-10-30 06:00 EDT

Groups: None (edit)

Description Orion Poplawski 2016-06-15 18:36:00 EDT

Description of problem:

I need to have zabbix_agent run sudo, but selinux prevents this.

type=AVC msg=audit(1466030121.398:258278): avc:  denied  { execute } for  pid=995 comm="sh" name="sudo" dev="dm-3" ino=6742310 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.398:258278): avc:  denied  { execute_no_trans } for  pid=995 comm="sh" path="/usr/bin/sudo" dev="dm-3" ino=6742310 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.407:258279): avc:  denied  { create } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1466030121.408:258280): avc:  denied  { connect } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1466030121.408:258280): avc:  denied  { write } for  pid=995 comm="sudo" name="log" dev="devtmpfs" ino=14365 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=AVC msg=audit(1466030121.408:258280): avc:  denied  { sendto } for  pid=995 comm="sudo" path="/dev/log" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1466030121.408:258281): avc:  denied  { create } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1466030121.408:258282): avc:  denied  { nlmsg_relay } for  pid=995 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1466030121.408:258282): avc:  denied  { audit_write } for  pid=995 comm="sudo" capability=29  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
type=AVC msg=audit(1466030121.410:258285): avc:  denied  { sys_resource } for  pid=995 comm="sudo" capability=24  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
type=AVC msg=audit(1466030121.411:258287): avc:  denied  { execute } for  pid=996 comm="sudo" name="lvm" dev="dm-3" ino=9001253 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.411:258287): avc:  denied  { execute_no_trans } for  pid=996 comm="sudo" path="/usr/sbin/lvm" dev="dm-3" ino=9001253 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=AVC msg=audit(1466030121.414:258288): avc:  denied  { read } for  pid=996 comm="lvs" name="lvm.conf" dev="dm-3" ino=12691734 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1466030121.414:258288): avc:  denied  { open } for  pid=996 comm="lvs" path="/etc/lvm/lvm.conf" dev="dm-3" ino=12691734 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1466030121.416:258289): avc:  denied  { write } for  pid=996 comm="lvs" name="lvmetad.socket" dev="tmpfs" ino=11199 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1466030121.416:258289): avc:  denied  { connectto } for  pid=996 comm="lvs" path="/run/lvm/lvmetad.socket" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1466030121.422:258290): avc:  denied  { write } for  pid=996 comm="lvs" name="lvm" dev="tmpfs" ino=8436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir
type=AVC msg=audit(1466030121.422:258291): avc:  denied  { add_name } for  pid=996 comm="lvs" name="V_vg_root:aux" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir
type=AVC msg=audit(1466030121.422:258291): avc:  denied  { create } for  pid=996 comm="lvs" name="V_vg_root:aux" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.422:258291): avc:  denied  { read append open } for  pid=996 comm="lvs" path="/run/lock/lvm/V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.422:258292): avc:  denied  { lock } for  pid=996 comm="lvs" path="/run/lock/lvm/V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.422:258293): avc:  denied  { remove_name } for  pid=996 comm="lvs" name="V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir
type=AVC msg=audit(1466030121.422:258293): avc:  denied  { unlink } for  pid=996 comm="lvs" name="V_vg_root:aux" dev="tmpfs" ino=15922436 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=AVC msg=audit(1466030121.424:258294): avc:  denied  { read } for  pid=996 comm="lvs" name="b8:0" dev="tmpfs" ino=15773 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file
type=AVC msg=audit(1466030121.424:258294): avc:  denied  { open } for  pid=996 comm="lvs" path="/run/udev/data/b8:0" dev="tmpfs" ino=15773 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file
type=AVC msg=audit(1466030121.428:258295): avc:  denied  { read write } for  pid=996 comm="lvs" name="control" dev="devtmpfs" ino=18443 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1466030121.428:258295): avc:  denied  { open } for  pid=996 comm="lvs" path="/dev/mapper/control" dev="devtmpfs" ino=18443 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1466030121.428:258296): avc:  denied  { ioctl } for  pid=996 comm="lvs" path="/dev/mapper/control" dev="devtmpfs" ino=18443 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1466030121.428:258297): avc:  denied  { ipc_info } for  pid=996 comm="lvs" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7_2.3.noarch

See also bug #1147706

Comment 1 Orion Poplawski 2016-06-15 18:42:47 EDT

Plus:

type=AVC msg=audit(1466030242.141:258345): avc:  denied  { sys_admin } for  pid=1150 comm="lvs" capability=21  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability

Comment 8 Lukas Vrabec 2018-06-10 16:13:08 EDT

*** Bug 1529742 has been marked as a duplicate of this bug. ***

Comment 10 Lukas Vrabec 2018-06-26 08:08:47 EDT

*** Bug 1488191 has been marked as a duplicate of this bug. ***

Comment 12 errata-xmlrpc 2018-10-30 05:59:15 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.