View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0017835 | CentOS-8 | selinux-policy | public | 2020-11-07 16:26 | 2020-11-07 16:26 |
| Reporter | gtuminauskas | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | new | Resolution | open | ||
| Platform | x86_64 | OS | CentOS | OS Version | 7.8.2003 |
| Summary | 0017835: SELinux prevents zabbix_agent from running sudo | ||||
| Description | I need to have zabbix_agent run sudo, but selinux prevents this. | ||||
| Steps To Reproduce | # cat /etc/sudoers.d/zabbix Defaults:zabbix !requiretty zabbix ALL=(root) NOPASSWD: /usr/sbin/ipactl status # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 # cat /etc/zabbix/zabbix_agentd.d/userparameter_idm.conf UserParameter=ipa.status,sudo /usr/sbin/ipactl status 2>&1 | egrep -v "(INFO\: The ipactl command was successful$|: RUNNING$)" | ||||
| Additional Information | type=AVC msg=audit(1604763867.398:8141): avc: denied { read } for pid=10651 comm="sudo" name="sssd.conf" dev="vda1" ino=16805513 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1604763867.398:8141): arch=c000003e syscall=2 success=no exit=-13 a0=7fc97ec24152 a1=0 a2=1b6 a3=24 items=0 ppid=10650 pid=10651 auid=4294967295 uid=0 gid=385 euid=0 suid=0 fsuid=0 egid=0 sgid=385 fsgid=0 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=PROCTITLE msg=audit(1604763867.398:8141): proctitle=7375646F002F7573722F7362696E2F69706163746C00737461747573 type=AVC msg=audit(1604763867.408:8142): avc: denied { execute_no_trans } for pid=10653 comm="sudo" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=118001 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1604763867.408:8142): arch=c000003e syscall=59 success=no exit=-13 a0=7fc9797ba3ad a1=7ffc6f213b20 a2=7fc9799bd388 a3=2 items=0 ppid=10651 pid=10653 auid=4294967295 uid=0 gid=385 euid=0 suid=0 fsuid=0 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=PROCTITLE msg=audit(1604763867.408:8142): proctitle=7375646F002F7573722F7362696E2F69706163746C00737461747573 type=AVC msg=audit(1604763867.411:8143): avc: denied { create } for pid=10653 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket permissive=0 type=SYSCALL msg=audit(1604763867.411:8143): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=726550203a64656c items=0 ppid=10651 pid=10653 auid=4294967295 uid=0 gid=385 euid=0 suid=0 fsuid=0 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=PROCTITLE msg=audit(1604763867.411:8143): proctitle=7375646F002F7573722F7362696E2F69706163746C00737461747573 type=AVC msg=audit(1604763867.412:8144): avc: denied { create } for pid=10651 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket permissive=0 type=SYSCALL msg=audit(1604763867.412:8144): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=796c7265646e7520 items=0 ppid=10650 pid=10651 auid=4294967295 uid=386 gid=385 euid=0 suid=0 fsuid=0 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=PROCTITLE msg=audit(1604763867.412:8144): proctitle=7375646F002F7573722F7362696E2F69706163746C00737461747573 type=AVC msg=audit(1604763867.412:8145): avc: denied { create } for pid=10651 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=netlink_audit_socket permissive=0 type=SYSCALL msg=audit(1604763867.412:8145): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=7ffc6f213860 items=0 ppid=10650 pid=10651 auid=4294967295 uid=386 gid=385 euid=0 suid=0 fsuid=0 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=PROCTITLE msg=audit(1604763867.412:8145): proctitle=7375646F002F7573722F7362696E2F69706163746C00737461747573 type=AVC msg=audit(1604763867.412:8146): avc: denied { create } for pid=10651 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket permissive=0 type=SYSCALL msg=audit(1604763867.412:8146): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=206e6f697373696d items=0 ppid=10650 pid=10651 auid=4294967295 uid=386 gid=385 euid=0 suid=0 fsuid=0 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=PROCTITLE msg=audit(1604763867.412:8146): proctitle=7375646F002F7573722F7362696E2F69706163746C00737461747573 type=AVC msg=audit(1604763867.412:8147): avc: denied { create } for pid=10651 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket permissive=0 type=SYSCALL msg=audit(1604763867.412:8147): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=6e6962732f727375 items=0 ppid=10650 pid=10651 auid=4294967295 uid=0 gid=385 euid=0 suid=0 fsuid=0 egid=0 sgid=385 fsgid=0 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=PROCTITLE msg=audit(1604763867.412:8147): proctitle=7375646F002F7573722F7362696E2F69706163746C00737461747573 type=AVC msg=audit(1604763867.413:8148): avc: denied { create } for pid=10651 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=netlink_audit_socket permissive=0 type=SYSCALL msg=audit(1604763867.413:8148): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=7fc985fe1b0c items=0 ppid=10650 pid=10651 auid=4294967295 uid=386 gid=385 euid=0 suid=0 fsuid=0 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=PROCTITLE msg=audit(1604763867.413:8148): proctitle=7375646F002F7573722F7362696E2F69706163746C00737461747573 type=AVC msg=audit(1604763867.413:8149): avc: denied { create } for pid=10651 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=netlink_audit_socket permissive=0 type=SYSCALL msg=audit(1604763867.413:8149): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=7fc985fe1b0c items=0 ppid=10650 pid=10651 auid=4294967295 uid=386 gid=385 euid=0 suid=0 fsuid=0 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=PROCTITLE msg=audit(1604763867.413:8149): proctitle=7375646F002F7573722F7362696E2F69706163746C00737461747573 type=AVC msg=audit(1604763867.413:8150): avc: denied { create } for pid=10651 comm="sudo" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=unix_dgram_socket permissive=0 type=SYSCALL msg=audit(1604763867.413:8150): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=206e6f697373696d items=0 ppid=10650 pid=10651 auid=4294967295 uid=386 gid=385 euid=0 suid=0 fsuid=0 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=PROCTITLE msg=audit(1604763867.413:8150): proctitle=7375646F002F7573722F7362696E2F69706163746C00737461747573 | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-11-07 16:26 | gtuminauskas | New Issue |
