Why is SELinux blocking my Zabbix agent's sudo calls?

Question

I have some Zabbix checks that require sudo. These are the contents of /etc/sudoers.d/zabbix

zabbix ALL=(ALL)    NOPASSWD: /bin/yum history
zabbix ALL=(ALL)    NOPASSWD: /bin/needs-restarting
zabbix ALL=(ALL)    NOPASSWD: /sbin/check31
zabbix ALL=(ALL)    NOPASSWD: /usr/sbin/crm_mon --as-xml

When I force check from my Zabbix proxy I get the following permission denied error (pacemaker.status uses /usr/sbin/crm_mon --as-xml):

bash-5.0$ zabbix_get -s my-server -k pacemaker.status
sudo: PAM account management error: System error
sudo: unable to send audit message: Permission denied

I verified SELinux is indeed blocking my calls by temporarily setting SELinux in permissive mode.

Then, I tried allowing these calls by going through the following steps.

First, I rotated the audit log as it was full with irrelevant messages from previous issues:

service auditd rotate

I then removed all dontaudits from the policy:

semodule -DB

On the Zabbix proxy I triggered the error by executing the zabbix_get call as stated above.

From the logs I created an SELinux module and installed it with semodule:

cat /var/log/audit/audit.log | audit2allow -M zabbix-agent
semodule -i zabbix-agent.pp

Still, I get the same permission denied error on sending the audit message when I execute zabbix_get. I did some research, turning off dontaudits should do the trick and force SELinux to log additional messages to address this issue, but I have and it doesn't work for my situation.

This is the zabbix-agent.te file audit2allow has built:

module zabbix-agent 1.0;

require {
    type zabbix_agent_t;
    type chkpwd_exec_t;
    class unix_dgram_socket create;
    class file execute_no_trans;
    class netlink_audit_socket create;
}

#============= zabbix_agent_t ==============
allow zabbix_agent_t chkpwd_exec_t:file execute_no_trans;
allow zabbix_agent_t self:netlink_audit_socket create;
allow zabbix_agent_t self:unix_dgram_socket create;

I can only point you here: https://www.linuxquestions.org/questions/linux-security-4/selinux-unable-to-send-audit-message-4175591310/ — Gerrit, Feb 11 '20 at 14:19
Probably you are missing nlmsg_relay on the netlink_audit_socket — Gerrit, Feb 11 '20 at 14:27
When that capability is added, you probably have to do a new round of audit2allow. — Gerrit, Feb 11 '20 at 14:38
I added nlmsg_relay, which didn't work. I then did a new round of audit2allow as you said, but still no luck :( — Rens Verhage, Feb 12 '20 at 09:05
And it only happens with the crm_mon command? Did you try other crm commands? — Gerrit, Feb 12 '20 at 13:19

score 1 · Answer 1 · answered Feb 16 '20 at 17:28

1

Did you try:

setsebool -P zabbix_can_network=1

if you already allowed the above, then you may try this:

yum install policycoreutils-python
semanage permissive -a zabbix_agent_t

Good luck

answered Feb 16 '20 at 17:28

Yasir Elsharif

56
3

score 1 · Answer 2 · answered Mar 12 '20 at 18:52

I had a similar issue (running a RAID controller check on an selinux enabled machine).

The missing link for me was the:

semodule -DB

to enable some non-audit policies. Then recapture the policy.

Reference was:https://forums.centos.org/viewtopic.php?t=62829 It's important to have selinux set to permissive first, when you capture. Pretty much much like you I did something like (after setting to permissive and capturing and applying policy):

log rotate, remove old log :

service auditd rotate

semodule -DB (disables no audit rules)

run the command from zabbix (configuration - hosts - execute once)
run the following to get the policy file

grep -i avc /var/log/audit/audit.log | audit2allow -M policyx
run

semodule -i policyx.pp
run command in Zabbix again to check if it works
run

semodule -B

to enable no-audit rules again.

My sudoers rule looks like:

zabbix ALL=(root) NOPASSWD: /opt/MegaRAID/storcli/storcli64

I tried if the zabbix user (which has nologin shell) could run the command like:

su -s /bin/bash -c 'sudo /opt/MegaRAID/storcli/storcli64 /c0 /eall /sall show' zabbix

I recommend to try the same for your commands to make sure the execute properly as user zabbix.

I also used restorecon on the sudoers and shadow file, but not sure if that helped. I also set the zabbix_agent_t context on the script I run, but that might not have had effect.

Last but not least, here is the policy file I applied that did the trick for me, perhaps you can just compile and apply it and see if it works:

cat mypolz1.te 

module mypolz1 1.0;

require {
    type zabbix_exec_t;
    type zabbix_agent_t;
    type system_dbusd_t;
    class capability { net_admin sys_admin };
    class dbus send_msg;
    class unix_dgram_socket write;
    class file { execute execute_no_trans };
    class netlink_audit_socket { read write };
}

#============= zabbix_agent_t ==============

#!!!! This avc is allowed in the current policy
allow zabbix_agent_t self:capability net_admin;
allow zabbix_agent_t self:capability sys_admin;

#!!!! This avc is allowed in the current policy
allow zabbix_agent_t self:netlink_audit_socket { read write };

#!!!! This avc is allowed in the current policy
allow zabbix_agent_t self:unix_dgram_socket write;

#!!!! This avc is allowed in the current policy
allow zabbix_agent_t system_dbusd_t:dbus send_msg;

#!!!! This avc is allowed in the current policy
allow zabbix_agent_t zabbix_exec_t:file { execute execute_no_trans };

As you can see I had some policies set, perhaps the sysadmin is the one that did the trick ( before I got the command running but no output ).

I think iteration is key, because after every step you will get different issues that the policy apply will then mitigate. Good luck!

Why is SELinux blocking my Zabbix agent's sudo calls?

2 Answers2