1989037 – zabbix scripts cannot execute sudo command in timely manner

Bug 1989037 - zabbix scripts cannot execute sudo command in timely manner

Summary: zabbix scripts cannot execute sudo command in timely manner

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	zabbix40
Sub Component:
Version:	epel8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Orion Poplawski
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-02 09:37 UTC by Renaud Métrich
Modified:	2024-05-03 21:29 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-05-03 21:29:24 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FC-510	0	None	None	None	2022-07-12 14:48:37 UTC
Red Hat Knowledge Base (Solution)	6230151	0	None	None	None	2021-08-02 09:55:18 UTC

Description Renaud Métrich 2021-08-02 09:37:31 UTC

Description of problem:

Even with enabling zabbix_run_sudo boolean, zabbix scripts running as zabbix_script_t cannot execute sudo in a timely manner: a timeout occurs while pam_systemd tries to set up the user session, resulting in a 3x25 seconds (== 75 seconds!) delay in execution.

This is due to init_t and systemd_logind_t not being able to reply to the dbus message pam_systemd sends, because the rules are missing:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# sesearch -A -s init_t -t zabbix_script_t -c dbus
--> no rule
# sesearch -A -s systemd_logind_t -t zabbix_script_t -c dbus
--> no rule
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Version-Release number of selected component (if applicable):

RHEL7 + RHEL8


How reproducible:

Always

Steps to Reproduce:
1. Create a fake zabbix_agent and a fake zabbix_script that executes sudo

/usr/local/bin/zabbix_agent:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/bin/sh

echo "$(basename $0): $(id -Z)"
/usr/local/bin/zabbix_script
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

/usr/local/bin/zabbix_script:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/bin/sh

echo "$(basename $0): $(id -Z)"
sudo id -Z
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Set appropriate contexts

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# chmod +x /usr/local/bin/zabbix_agent /usr/local/bin/zabbix_script
# chcon -t zabbix_agent_exec_t /usr/local/bin/zabbix_agent
# chcon -t zabbix_script_exec_t /usr/local/bin/zabbix_script
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Execute the fake zabbix_agent as a service and check the journal and AVCs

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# systemd-run /usr/local/bin/zabbix_agent
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Actual results: 3x25 seconds delay trying to set up the session

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Aug 02 11:29:18 vm-rhel8 systemd[1]: Started /usr/local/bin/zabbix_agent.
Aug 02 11:29:18 vm-rhel8 zabbix_agent[6586]: zabbix_agent: system_u:system_r:zabbix_agent_t:s0
Aug 02 11:29:18 vm-rhel8 zabbix_agent[6586]: zabbix_script: system_u:system_r:zabbix_script_t:s0

--> 50 seconds HOLE

Aug 02 11:30:08 vm-rhel8 sudo[6592]:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/id -Z
Aug 02 11:30:08 vm-rhel8 systemd[1]: Started Session c8 of user root.

--> 25 seconds HOLE

Aug 02 11:30:33 vm-rhel8 sudo[6592]: pam_systemd(sudo:session): Failed to create session: Connection timed out
Aug 02 11:30:33 vm-rhel8 sudo[6592]: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 02 11:30:33 vm-rhel8 zabbix_agent[6586]: system_u:system_r:zabbix_script_t:s0
Aug 02 11:30:33 vm-rhel8 sudo[6592]: pam_unix(sudo:session): session closed for user root
Aug 02 11:30:33 vm-rhel8 systemd[1]: run-rb7a435cb9cca4ea9a446fd394d89da7d.service: Succeeded.
Aug 02 11:30:33 vm-rhel8 systemd[1]: session-c8.scope: Succeeded.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

AUDIT:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# ausearch -m avc,user_avc -ts recent
----
time->Mon Aug  2 11:29:18 2021
type=USER_AVC msg=audit(1627896558.056:885): pid=1070 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.377 spid=1 tpid=6592 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Mon Aug  2 11:29:43 2021
type=USER_AVC msg=audit(1627896583.098:886): pid=1070 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.378 spid=1 tpid=6592 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Mon Aug  2 11:30:08 2021
type=USER_AVC msg=audit(1627896608.151:892): pid=1070 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.382 spid=1089 tpid=6592 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Expected results:

No delay, no USER_AVC

Additional info:

Module for missing rules below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
policy_module(zabbix_local_dbus, 1.0)

gen_require(`
	type init_t;
	type systemd_logind_t;
	type zabbix_script_t;
	class dbus send_msg;
')

allow init_t zabbix_script_t:dbus send_msg;
allow systemd_logind_t zabbix_script_t:dbus send_msg;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Comment 1 Zdenek Pytela 2021-08-06 09:05:06 UTC

Zabbix ships its own custom selinux policy module, so it needs to be addressed there.

Comment 2 Orion Poplawski 2021-11-02 02:15:23 UTC

Zdenek - 

  Could you offer some suggestions here?  It looks like the current policy allows zabbix_t and zabbix_agent_t to run sudo when the boolean is configured via:

tunable_policy(`zabbix_run_sudo',`
    allow zabbix_agent_t self:capability { setgid setuid sys_resource };
    allow zabbix_agent_t self:process { setrlimit setsched };
    allow zabbix_agent_t self:key write;
    allow zabbix_agent_t self:passwd { passwd rootok };

    auth_rw_lastlog(zabbix_agent_t)
    auth_rw_faillog(zabbix_agent_t)
    auth_exec_chkpwd(zabbix_agent_t)

    selinux_compute_access_vector(zabbix_agent_t)

    systemd_write_inherited_logind_sessions_pipes(zabbix_agent_t)
    systemd_dbus_chat_logind(zabbix_agent_t)
    systemd_dbus_chat_logind(zabbix_script_t)

    xserver_exec_xauth(zabbix_agent_t)
')

optional_policy(`
    tunable_policy(`zabbix_run_sudo',`
        sudo_exec(zabbix_agent_t)
        su_exec(zabbix_agent_t)
    ')
')

Should I add another such block for zabbix_script_t? 

Or should I just add the rules suggested in this report, something like

allow init_t zabbix_script_t:dbus send_msg;
allow systemd_logind_t zabbix_script_t:dbus send_msg;

I'm not quite sure why zabbix_script_t is allow to execute sudo in the first place.

I worry a little bit that extending it to zabbix_script_t might not be what some people expect, but I imagine most consider scripts run by zabbix would be covered by the same boolean.

Comment 3 Orion Poplawski 2021-11-02 16:46:43 UTC

Some more things I don't understand.  Here is the zabbix_script_t policy:

domtrans_pattern(zabbix_t, zabbix_script_exec_t, zabbix_script_t)

allow zabbix_t zabbix_script_exec_t:dir search_dir_perms;
allow zabbix_t zabbix_script_exec_t:dir read_file_perms;
allow zabbix_t zabbix_script_exec_t:file ioctl;

init_domtrans_script(zabbix_script_t)

optional_policy(`
    mta_send_mail(zabbix_script_t)
')

optional_policy(`
    unconfined_domain(zabbix_script_t)
')


* How do we transition from zabbix_agent_t to zabbix_script_t - aren't we only configuring it from zabbix_t?

* Isn't zabbix_script_t unconfined?  Or do unconfined domains still not have access to dbus?

Comment 4 Orion Poplawski 2024-05-03 21:29:24 UTC

Just to note that zabbix 4.0 is EOL at this point.

Note You need to log in before you can comment on or make changes to this bug.