puppet-zabbix
puppet-zabbix copied to clipboard
voxpupuli
agent.pp introduces a dependence on selinux module
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 4.5.2
- Ruby:
- Distribution: Centos 6.8
- Module version: 4.0.0
How to reproduce (e.g Puppet code you use)
Install zabbix module without installing selinux module
What are you seeing
Zabbix fails:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Invalid resource type selinux::module at /etc/puppetlabs/code/environments/production/modules/zabbix/manifests/agent.pp:387:5 on node ev-web320.ca2prd Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run
What behaviour did you expect instead
No dependencies on outside classes
Output log
See above
Any additional information you'd like to impart
Problem code is here, in agent.pp: ` # the agent doesn't work perfectly fine with selinux
https://support.zabbix.com/browse/ZBX-11631
if $facts['selinux'] == true and $manage_selinux { selinux::module{'zabbix-agent': ensure => 'present', source_te => 'puppet:///modules/zabbix/zabbix-agent.te', before => Service['zabbix-agent'], } }`
We have selinux disabled or in permissive mode everywhere to the presence of a workaround for ZBX-11631 doesn't affect us.
Hi, thanks for bringing this up. In my opinion this is not a bug. The selinux module is listed as a dependency. This is not supposed to work without the dependency. I assume your box has selinux in the permissive mode, so the if condition evaluates to true and zabbix tries to implement the selinux::module. However, you can disable this by setting manage_selinux to false.
Fair enough. I'm not a big fan of horizontal module dependencies being enabled by default. This isn't the first module to do so.
On May 24, 2017 3:22 PM, "Tim Meusel" [email protected] wrote:
Hi, thanks for bringing this up. In my opinion this is not a bug. The selinux module is listed as a dependency. This is not supposed to work without the dependency. I assume your box has selinux in the permissive mode, so the if condition evaluates to true and zabbix tries to implement the selinux::module. However, you can disable this by setting manage_selinux to false.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/voxpupuli/puppet-zabbix/issues/391#issuecomment-303868726, or mute the thread https://github.com/notifications/unsubscribe-auth/AG10Bw0VlCdPUc0QxSzH9qdtH_qv_ifqks5r9K2RgaJpZM4Nlu3V .
We discussed this very long in our IRC channel. I try to keep modules as simple as possible with as few dependencies as needed. But we also try to provide a default configuration that works out of the box. The selinux resource is needed if you've selinux in the enforcing mode. In the last release we only deployed it if the selinux mode was actually enforcing. We switched it to also deal in the permissive mode. There can be some edge cases where somebody switches from permissive to enforcing and than the zabbix agent won't start. We workaround this by deploying the policy always if selinux is enabled.
Did anybody try to get this policy enhancement upstream? (https://github.com/TresysTechnology/refpolicy-contrib/blob/master/zabbix.te , https://github.com/fedora-selinux/selinux-policy-contrib/blob/rawhide/zabbix.te ) ? This would IMHO be the real solution.
If nobody is workin on this I'm going to do it.
looks like its already fixed in RHEL 7.3: https://bugzilla.redhat.com/show_bug.cgi?id=1393332 and Fedora 25+ (https://bugzilla.redhat.com/show_bug.cgi?id=1323518)
Fedora setrlimit capability for zabbix_agent_t: https://bugzilla.redhat.com/show_bug.cgi?id=1323518
but the unix_dgram_socket is not included. Anybody knows why is this needed?
@vinzent a few weeks back I found an issue on the zabbix bugtracker where they discussed bringing it into upstream. As far as I know this still isn't fixed in centos7.3. I would prefer it if upstream handles this instead of us. I just wanted to provide a working module for a valid usecase.
@bastelfreak Indeed the RHEL 7.3 bug has status VERIFIED. seems like they fixed it for Fedora 25+ but forgot to do it in RHEL :-/
I do see the necessity of the setrlimit. but the udp socket rights do not make sense to me ATM.
I'm not a huge fan of integrating such "magically fix os bugs"-features into modules. For me this is clearly a profile thing. But I know too that what modules should and should not do is highly opinionated. :)
setrlimit patch for upstream refpolicy: http://oss.tresys.com/pipermail/refpolicy/2017-May/009635.html
seems like another patch is needed: https://support.zabbix.com/browse/ZBX-11631?focusedCommentId=209779&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-209779
zabbix_script_t is fedora/el only. created a PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/13
@bastelfreak do you know or have you any reference on why the the self:unix_dgram_socket (https://github.com/voxpupuli/puppet-zabbix/blob/master/files/zabbix-agent.te#L11) permission is needed? Why should zabbix agent be able to create an UDP socket?
I'm a selinux novice, I just created to policy by playing with audit2allow and the audit.log.
I didn't configure any checks. This happened directly after a fresh installation. Maybe I've time later to reproduce it later and send you some logs.
refpolicy setrlimit patch was merged: https://github.com/TresysTechnology/refpolicy-contrib/commit/9fbf1b94fa4e9f6936ea7100f606ac572ed7af95