View Issue Details

IDProjectCategoryView StatusLast Update
0015898CentOS-7selinux-policypublic2019-03-06 04:28
Reporterryzn 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0015898: SELinux is preventing sh from 'execute' accesses on the file /usr/bin/sudo.
DescriptionDescription of problem:
SELinux is preventing sh from 'execute' accesses on the file /usr/bin/sudo.

***** Plugin catchall_boolean (89.3 confidence) suggests ******************

If you want to allow zabbix to run sudo
Then you must tell SELinux about this by enabling the 'zabbix_run_sudo' boolean.

Do
setsebool -P zabbix_run_sudo 1

***** Plugin catchall (11.6 confidence) suggests **************************

If you believe that sh should be allowed execute access on the sudo file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sh' --raw | audit2allow -M my-sh
# semodule -i my-sh.pp

Additional Information:
Source Context system_u:system_r:zabbix_agent_t:s0
Target Context system_u:object_r:sudo_exec_t:s0
Target Objects /usr/bin/sudo [ file ]
Source sh
Source Path sh
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages sudo-1.8.23-3.el7.x86_64
Policy RPM selinux-policy-3.13.1-229.el7_6.9.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-957.5.1.el7.x86_64 #1 SMP
                              Fri Feb 1 14:54:57 UTC 2019 x86_64 x86_64
Alert Count 4
First Seen 2019-03-06 10:26:23 +07
Last Seen 2019-03-06 10:26:23 +07
Local ID e7aeae93-ce06-4841-ad8d-eb95f173982b

Raw Audit Messages
type=AVC msg=audit(1551842783.569:28307274): avc: denied { execute } for pid=45009 comm="sh" name="sudo" dev="sda3" ino=2449190 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=0


Hash: sh,zabbix_agent_t,sudo_exec_t,file,execute

Version-Release number of selected component:
selinux-policy-3.13.1-229.el7_6.9.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-957.5.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash82783f816c26833d0080403a15ca4f8307d781d67e7c7d10594e5088e4baad7a
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-03-06 04:28 ryzn New Issue