2160180 – Zabbix script cannot execute the chronyc command

Bug 2160180 - Zabbix script cannot execute the chronyc command

Summary: Zabbix script cannot execute the chronyc command

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	zabbix6.0
Sub Component:
Version:	epel8
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Orion Poplawski
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-01-11 16:19 UTC by Renaud Métrich
Modified:	2023-02-28 02:29 UTC (History)
CC List:	5 users (show)
Fixed In Version:	zabbix6.0-6.0.13-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-02-28 02:29:59 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FC-709	0	None	None	None	2023-01-13 13:52:39 UTC

Description Renaud Métrich 2023-01-11 16:19:00 UTC

Description of problem:

chronyc command is confined to chronyc_t, as such we need to make sure Zabbix scripts get a transition when executing chronyc.

For now, there is no transition, causing *chronyd* to pop an AVC when it tries to answer the chronyc client:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(1673453345.225:434): proctitle="/usr/sbin/chronyd"
type=SYSCALL msg=audit(1673453345.225:434): arch=c000003e syscall=46 success=no exit=-13 a0=7 a1=7fffcd41c070 a2=0 a3=0 items=0 ppid=1 pid=1233 auid=4294967295 uid=988 gid=984 euid=988 suid=988 fsuid=988 egid=984 sgid=984 fsgid=984 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC msg=audit(1673453345.225:434): avc:  denied  { sendto } for  pid=1233 comm="chronyd" path="/run/chrony/chronyc.7495.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=unix_dgram_socket permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The solution consists in adding a transition:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
domtrans_pattern(zabbix_script_t, chronyc_exec_t, chronyc_t)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-108.el8.noarch and Fedora Upstream

How reproducible:

Always

Steps to Reproduce:
1. Create a fake Zabbix agent and Zabbix script executing chronyc

  /usr/local/bin/zabbix_agent:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  #!/bin/sh
  echo "$0 executing as `id -Z`"
  exec /usr/local/bin/zabbix_script
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  /usr/local/bin/zabbix_script:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  #!/bin/sh
  echo "$0 executing as `id -Z`"
  exec chronyc dump
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Label the scripts accordingly

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # chmod +x /usr/local/bin/zabbix_agent /usr/local/bin/zabbix_script
  # chcon -t zabbix_agent_exec_t /usr/local/bin/zabbix_agent
  # chcon -t zabbix_script_exec_t /usr/local/bin/zabbix_script
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Execute the fake agent as a systemd service (to have the transitions occur)

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # systemd-run /usr/local/bin/zabbix_agent 
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actual results: AVC on chronyd

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  time->Wed Jan 11 17:09:05 2023
  type=PROCTITLE msg=audit(1673453345.225:434): proctitle="/usr/sbin/chronyd"
  type=SYSCALL msg=audit(1673453345.225:434): arch=c000003e syscall=46 success=no exit=-13 a0=7 a1=7fffcd41c070 a2=0 a3=0 items=0 ppid=1 pid=1233 auid=4294967295 uid=988 gid=984 euid=988 suid=988 fsuid=988 egid=984 sgid=984 fsgid=984 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)
  type=AVC msg=audit(1673453345.225:434): avc:  denied  { sendto } for  pid=1233 comm="chronyd" path="/run/chrony/chronyc.7495.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:zabbix_script_t:s0 tclass=unix_dgram_socket permissive=0
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Expected results: No AVC

Comment 1 Zdenek Pytela 2023-01-13 13:51:08 UTC

Switching the component as zabbix ships its own policy module.

Comment 2 Fedora Update System 2023-02-19 04:06:05 UTC

FEDORA-EPEL-2023-05285498ec has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-05285498ec

Comment 3 Fedora Update System 2023-02-20 01:29:23 UTC

FEDORA-EPEL-2023-05285498ec has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-05285498ec

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2023-02-28 02:29:59 UTC

FEDORA-EPEL-2023-05285498ec has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.