New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
selinux policy #28
Comments
Thanks for posting this issue. I agree the policy should probably be included with the Zabbix agent, not this module. I'll have a play around with it and maybe raise a request with Zabbix SIA. I'll also see if I can work around it within my own packages. I've never tested with selinux enabled (oops) and so there are probably also issues allowing the agent to connect to a database (though it should be able to connect to the network). |
I run it last weekend with zabbix_agent_t as permissive, the only restrictions that were met are: allow zabbix_agent_t modules_object_t:file { execute open }; Also I enabled the discovery rules for tables and indexes but these do not discover for now... |
I observed the same in trying to replicate the issue. Unfortunately the zabbix_agent_t context is actually deployed as part of the |
I couldn't find the package maintainers for |
@robbrucks suggested the following via email:
|
The above policy module I sent you is to allow the libzbxpgsql module to use the postgres socket (host=/tmp) instead of TCP stack (host=localhost). I don't think this is the solution to the problem stated above by @lvg01. I'll try to recreate the original problem he's having. |
@lvg01 : what versions of OS, Zabbix agent, libzbxpsql, and PG are you installing? I get a totally different SE Linux issue on Centos 7.3, Zabbix 3.2 with libzbxpgsql 1.1 and PG 9.2:
================================================================ It generates the following policy file for me:
--Rob |
@robbrucks I'm wotking on the socket. The local zabbix-agent has the libzbxpgsql.so module loaded. For the second option, I didn't test that, with the socket the setrlimit doesn't show up. Current versions are Centos 7.3, Zabbix 3.0, Postgresql 9.4, libzbxpgsql 1.1.0-1 |
OK, yeah, if you're hitting the socket problem then what I originally sent to @cavaliercoder should do the trick. I had to use it too since I prefer socket connections. It just looked like the original problem you posted was an SE linux error executing the module. Best of luck! |
Zabbix agent fails loading the /usr/lib64/modules/libzbxpgsql.so module, it's blocked by selinux. The zabbix agent context is zabbix_agent_t.
Complete selinux/audit log:
type=AVC msg=audit(1450956124.124:2421): avc: denied { execute } for pid=16905 comm="zabbix_agentd" path="/usr/lib64/modules/libzbxpgsql.so" dev="dm-0" ino=18252580 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
Temporary workaroud:
semanage permissive -a zabbix_agent_t
Permanent policy:
============= zabbix_agent_t ==============
allow zabbix_agent_t modules_object_t:file execute;
Maybe the permanent policy has to be included in the zabbix distribution...
Also there can be an own class (e.g. libzbxpgsl_object_t) for which zabbix_agent_t can get policy access.
The text was updated successfully, but these errors were encountered: