Thomas Mueller
Thomas Mueller
Did anybody try to get this policy enhancement upstream? (https://github.com/TresysTechnology/refpolicy-contrib/blob/master/zabbix.te , https://github.com/fedora-selinux/selinux-policy-contrib/blob/rawhide/zabbix.te ) ? This would IMHO be the real solution. If nobody is workin on this I'm going to...
looks like its already fixed in RHEL 7.3: https://bugzilla.redhat.com/show_bug.cgi?id=1393332 and Fedora 25+ (https://bugzilla.redhat.com/show_bug.cgi?id=1323518)
Fedora setrlimit capability for zabbix_agent_t: https://bugzilla.redhat.com/show_bug.cgi?id=1323518 but the unix_dgram_socket is not included. Anybody knows why is this needed?
@bastelfreak Indeed the RHEL 7.3 bug has status VERIFIED. seems like they fixed it for Fedora 25+ but forgot to do it in RHEL :-/ I do see the necessity...
setrlimit patch for upstream refpolicy: http://oss.tresys.com/pipermail/refpolicy/2017-May/009635.html
seems like another patch is needed: https://support.zabbix.com/browse/ZBX-11631?focusedCommentId=209779&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-209779 zabbix_script_t is fedora/el only. created a PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/13
@bastelfreak do you know or have you any reference on why the the self:unix_dgram_socket (https://github.com/voxpupuli/puppet-zabbix/blob/master/files/zabbix-agent.te#L11) permission is needed? Why should zabbix agent be able to create an UDP socket?
@bastelfreak do you might have any udp checks executed by zabbix agent?
refpolicy setrlimit patch was merged: https://github.com/TresysTechnology/refpolicy-contrib/commit/9fbf1b94fa4e9f6936ea7100f606ac572ed7af95
The setrlimit patch will be available in [RHEL/CentOS 7.4](https://bugzilla.redhat.com/show_bug.cgi?id=1393332#c8)