selinux policy

[lvg01]

Zabbix agent fails loading the /usr/lib64/modules/libzbxpgsql.so module, it's blocked by selinux. The zabbix agent context is zabbix_agent_t.

Complete selinux/audit log:

type=AVC msg=audit(1450956124.124:2421): avc: denied { execute } for pid=16905 comm="zabbix_agentd" path="/usr/lib64/modules/libzbxpgsql.so" dev="dm-0" ino=18252580 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file

Temporary workaroud:

semanage permissive -a zabbix_agent_t

Permanent policy:

============= zabbix_agent_t ==============

allow zabbix_agent_t modules_object_t:file execute;

Maybe the permanent policy has to be included in the zabbix distribution...

Also there can be an own class (e.g. libzbxpgsl_object_t) for which zabbix_agent_t can get policy access.

[cavaliercoder]

Thanks for posting this issue. I agree the policy should probably be included with the Zabbix agent, not this module. I'll have a play around with it and maybe raise a request with Zabbix SIA. I'll also see if I can work around it within my own packages.

I've never tested with selinux enabled (oops) and so there are probably also issues allowing the agent to connect to a database (though it should be able to connect to the network).

[lvg01]

I run it last weekend with zabbix_agent_t as permissive, the only restrictions that were met are:

allow zabbix_agent_t modules_object_t:file { execute open };
allow zabbix_agent_t postgresql_var_run_t:sock_file write;

Also I enabled the discovery rules for tables and indexes but these do not discover for now...

[cavaliercoder]

I observed the same in trying to replicate the issue.

Unfortunately the zabbix_agent_t context is actually deployed as part of the selinux-policy-targeted package (the CentOS default targeted policy) and is not managed by Zabbix SIA. I'm doing some research into how to raise an issue with the right people to get this addressed.

[cavaliercoder]

I couldn't find the package maintainers for selinux-policy-targeted so I've escalated to Zabbix in ZBX-10610.

[cavaliercoder]

@robbrucks suggested the following via email:

module zabbix_agent_pg 1.0;
 
require {
type postgresql_var_run_t;
type zabbix_agent_t;
class sock_file write;
}
 
#============= zabbix_agent_t ==============
allow zabbix_agent_t postgresql_var_run_t:sock_file write;

[robbrucks]

The above policy module I sent you is to allow the libzbxpgsql module to use the postgres socket (host=/tmp) instead of TCP stack (host=localhost). I don't think this is the solution to the problem stated above by @lvg01. I'll try to recreate the original problem he's having.

[robbrucks]

@lvg01 : what versions of OS, Zabbix agent, libzbxpsql, and PG are you installing?

I get a totally different SE Linux issue on Centos 7.3, Zabbix 3.2 with libzbxpgsql 1.1 and PG 9.2:

SELinux is preventing /usr/sbin/zabbix_agentd from using the setrlimit access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that zabbix_agentd should be allowed setrlimit access on processes labeled zabbix_agent_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
\# ausearch -c 'zabbix_agentd' --raw | audit2allow -M my-zabbixagentd
\# semodule -i my-zabbixagentd.pp


Additional Information:
Source Context                system_u:system_r:zabbix_agent_t:s0
Target Context                system_u:system_r:zabbix_agent_t:s0
Target Objects                Unknown [ process ]
Source                        zabbix_agentd
Source Path                   /usr/sbin/zabbix_agentd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           zabbix-agent-3.2.3-1.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-102.el7_3.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     iscsi.robbrucks.com
Platform                      Linux iscsi.robbrucks.com
                              3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18
                              13:06:36 UTC 2017 x86_64 x86_64
Alert Count                   8
First Seen                    2017-02-20 15:09:50 CST
Last Seen                     2017-02-20 15:11:02 CST
Local ID                      efb1c345-c86f-4c2c-bdde-8350f5610bc5

Raw Audit Messages
type=AVC msg=audit(1487625062.33:1164): avc:  denied  { setrlimit } for  pid=3074 comm="zabbix_agentd" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process


type=SYSCALL msg=audit(1487625062.33:1164): arch=x86_64 syscall=setrlimit success=no exit=EACCES a0=4 a1=7ffd09e50da0 a2=0 a3=7ffd09e50b20 items=0 ppid=1 pid=3074 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=(null)

Hash: zabbix_agentd,zabbix_agent_t,zabbix_agent_t,process,setrlimit

================================================================

It generates the following policy file for me:

module my-zabbixagentd 1.0;

require {
	type zabbix_agent_t;
	class process setrlimit;
}

#============= zabbix_agent_t ==============
allow zabbix_agent_t self:process setrlimit;

--Rob

[lvg01]

@robbrucks I'm wotking on the socket. The local zabbix-agent has the libzbxpgsql.so module loaded.
Therefore the first sugestion seems the one that is usefull for me.

For the second option, I didn't test that, with the socket the setrlimit doesn't show up.

Current versions are Centos 7.3, Zabbix 3.0, Postgresql 9.4, libzbxpgsql 1.1.0-1

[robbrucks]

OK, yeah, if you're hitting the socket problem then what I originally sent to @cavaliercoder should do the trick. I had to use it too since I prefer socket connections. It just looked like the original problem you posted was an SE linux error executing the module. Best of luck!