Description of problem: Even with enabling zabbix_run_sudo boolean, zabbix scripts running as zabbix_script_t cannot execute sudo in a timely manner: a timeout occurs while pam_systemd tries to set up the user session, resulting in a 3x25 seconds (== 75 seconds!) delay in execution. This is due to init_t and systemd_logind_t not being able to reply to the dbus message pam_systemd sends, because the rules are missing: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # sesearch -A -s init_t -t zabbix_script_t -c dbus --> no rule # sesearch -A -s systemd_logind_t -t zabbix_script_t -c dbus --> no rule -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Version-Release number of selected component (if applicable): RHEL7 + RHEL8 How reproducible: Always Steps to Reproduce: 1. Create a fake zabbix_agent and a fake zabbix_script that executes sudo /usr/local/bin/zabbix_agent: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- #!/bin/sh echo "$(basename $0): $(id -Z)" /usr/local/bin/zabbix_script -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- /usr/local/bin/zabbix_script: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- #!/bin/sh echo "$(basename $0): $(id -Z)" sudo id -Z -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 2. Set appropriate contexts -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # chmod +x /usr/local/bin/zabbix_agent /usr/local/bin/zabbix_script # chcon -t zabbix_agent_exec_t /usr/local/bin/zabbix_agent # chcon -t zabbix_script_exec_t /usr/local/bin/zabbix_script -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 3. Execute the fake zabbix_agent as a service and check the journal and AVCs -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # systemd-run /usr/local/bin/zabbix_agent -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Actual results: 3x25 seconds delay trying to set up the session -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Aug 02 11:29:18 vm-rhel8 systemd[1]: Started /usr/local/bin/zabbix_agent. Aug 02 11:29:18 vm-rhel8 zabbix_agent[6586]: zabbix_agent: system_u:system_r:zabbix_agent_t:s0 Aug 02 11:29:18 vm-rhel8 zabbix_agent[6586]: zabbix_script: system_u:system_r:zabbix_script_t:s0 --> 50 seconds HOLE Aug 02 11:30:08 vm-rhel8 sudo[6592]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/id -Z Aug 02 11:30:08 vm-rhel8 systemd[1]: Started Session c8 of user root. --> 25 seconds HOLE Aug 02 11:30:33 vm-rhel8 sudo[6592]: pam_systemd(sudo:session): Failed to create session: Connection timed out Aug 02 11:30:33 vm-rhel8 sudo[6592]: pam_unix(sudo:session): session opened for user root by (uid=0) Aug 02 11:30:33 vm-rhel8 zabbix_agent[6586]: system_u:system_r:zabbix_script_t:s0 Aug 02 11:30:33 vm-rhel8 sudo[6592]: pam_unix(sudo:session): session closed for user root Aug 02 11:30:33 vm-rhel8 systemd[1]: run-rb7a435cb9cca4ea9a446fd394d89da7d.service: Succeeded. Aug 02 11:30:33 vm-rhel8 systemd[1]: session-c8.scope: Succeeded. -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- AUDIT: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # ausearch -m avc,user_avc -ts recent ---- time->Mon Aug 2 11:29:18 2021 type=USER_AVC msg=audit(1627896558.056:885): pid=1070 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.377 spid=1 tpid=6592 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Mon Aug 2 11:29:43 2021 type=USER_AVC msg=audit(1627896583.098:886): pid=1070 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.378 spid=1 tpid=6592 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Mon Aug 2 11:30:08 2021 type=USER_AVC msg=audit(1627896608.151:892): pid=1070 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.382 spid=1089 tpid=6592 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Expected results: No delay, no USER_AVC Additional info: Module for missing rules below: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- policy_module(zabbix_local_dbus, 1.0) gen_require(` type init_t; type systemd_logind_t; type zabbix_script_t; class dbus send_msg; ') allow init_t zabbix_script_t:dbus send_msg; allow systemd_logind_t zabbix_script_t:dbus send_msg; -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Zabbix ships its own custom selinux policy module, so it needs to be addressed there.
Zdenek - Could you offer some suggestions here? It looks like the current policy allows zabbix_t and zabbix_agent_t to run sudo when the boolean is configured via: tunable_policy(`zabbix_run_sudo',` allow zabbix_agent_t self:capability { setgid setuid sys_resource }; allow zabbix_agent_t self:process { setrlimit setsched }; allow zabbix_agent_t self:key write; allow zabbix_agent_t self:passwd { passwd rootok }; auth_rw_lastlog(zabbix_agent_t) auth_rw_faillog(zabbix_agent_t) auth_exec_chkpwd(zabbix_agent_t) selinux_compute_access_vector(zabbix_agent_t) systemd_write_inherited_logind_sessions_pipes(zabbix_agent_t) systemd_dbus_chat_logind(zabbix_agent_t) systemd_dbus_chat_logind(zabbix_script_t) xserver_exec_xauth(zabbix_agent_t) ') optional_policy(` tunable_policy(`zabbix_run_sudo',` sudo_exec(zabbix_agent_t) su_exec(zabbix_agent_t) ') ') Should I add another such block for zabbix_script_t? Or should I just add the rules suggested in this report, something like allow init_t zabbix_script_t:dbus send_msg; allow systemd_logind_t zabbix_script_t:dbus send_msg; I'm not quite sure why zabbix_script_t is allow to execute sudo in the first place. I worry a little bit that extending it to zabbix_script_t might not be what some people expect, but I imagine most consider scripts run by zabbix would be covered by the same boolean.
Some more things I don't understand. Here is the zabbix_script_t policy: domtrans_pattern(zabbix_t, zabbix_script_exec_t, zabbix_script_t) allow zabbix_t zabbix_script_exec_t:dir search_dir_perms; allow zabbix_t zabbix_script_exec_t:dir read_file_perms; allow zabbix_t zabbix_script_exec_t:file ioctl; init_domtrans_script(zabbix_script_t) optional_policy(` mta_send_mail(zabbix_script_t) ') optional_policy(` unconfined_domain(zabbix_script_t) ') * How do we transition from zabbix_agent_t to zabbix_script_t - aren't we only configuring it from zabbix_t? * Isn't zabbix_script_t unconfined? Or do unconfined domains still not have access to dbus?
Just to note that zabbix 4.0 is EOL at this point.