I have some Zabbix checks that require sudo. These are the contents of /etc/sudoers.d/zabbix
zabbix ALL=(ALL) NOPASSWD: /bin/yum history
zabbix ALL=(ALL) NOPASSWD: /bin/needs-restarting
zabbix ALL=(ALL) NOPASSWD: /sbin/check31
zabbix ALL=(ALL) NOPASSWD: /usr/sbin/crm_mon --as-xml
When I force check from my Zabbix proxy I get the following permission
denied error (pacemaker.status uses /usr/sbin/crm_mon --as-xml):
bash-5.0$ zabbix_get -s my-server -k pacemaker.status
sudo: PAM account management error: System error
sudo: unable to send audit message: Permission denied
I verified SELinux is indeed blocking my calls by temporarily setting SELinux in permissive mode.
Then, I tried allowing these calls by going through the following steps.
First, I rotated the audit log as it was full with irrelevant messages from previous issues:
service auditd rotate
I then removed all dontaudits from the policy:
semodule -DB
On the Zabbix proxy I triggered the error by executing the zabbix_get call as stated above.
From the logs I created an SELinux module and installed it with semodule:
cat /var/log/audit/audit.log | audit2allow -M zabbix-agent
semodule -i zabbix-agent.pp
Still, I get the same permission denied error on sending the audit message when I execute zabbix_get. I did some research, turning off dontaudits should do the trick and force SELinux to log additional messages to address this issue, but I have and it doesn't work for my situation.
This is the zabbix-agent.te file audit2allow has built:
module zabbix-agent 1.0;
require {
type zabbix_agent_t;
type chkpwd_exec_t;
class unix_dgram_socket create;
class file execute_no_trans;
class netlink_audit_socket create;
}
#============= zabbix_agent_t ==============
allow zabbix_agent_t chkpwd_exec_t:file execute_no_trans;
allow zabbix_agent_t self:netlink_audit_socket create;
allow zabbix_agent_t self:unix_dgram_socket create;
Best Answer
Did you try:
if you already allowed the above, then you may try this:
Good luck