Zabbix & SNMPTT.log file access denied

fedoraselinuxzabbix

I'm having a problem with a file accesed by ZAbbix to proccess all the SNMP trap data using a file /var/log/snmptt/snmptt.log.

ZAbbix_proxy.log

 23323:20140430:105246.532 sleeping for 5 seconds
 23329:20140430:105247.070 cannot open [/var/log/snmptt/snmptt.log]: [13] Permission denied
 23329:20140430:105247.070 sleeping for 1 seconds
 23329:20140430:105248.070 cannot open [/var/log/snmptt/snmptt.log]: [13] Permission denied
 23329:20140430:105248.071 sleeping for 1 seconds
 23329:20140430:105249.071 cannot open [/var/log/snmptt/snmptt.log]: [13] Permission denied
 23329:20140430:105249.071 sleeping for 1 seconds

SE Linux Audit log.

time->Wed Apr 30 09:58:11 2014
type=SYSCALL msg=audit(1398869891.560:41198): arch=c000003e syscall=2 success=no exit=-13 a0=16ffee0 a1=0 a2=1 a3=8 items=0 ppid=23309 pid=23329 auid=4294967295 uid=995 gid=996 euid=995 suid=995 fsuid=995 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="zabbix_proxy" exe="/usr/sbin/zabbix_proxy_sqlite3" subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(1398869891.560:41198): avc:  denied  { read } for  pid=23329 comm="zabbix_proxy" name="snmptt.log" dev="dm-5" ino=133641 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Wed Apr 30 09:58:12 2014
type=SYSCALL msg=audit(1398869892.560:41199): arch=c000003e syscall=2 success=no exit=-13 a0=16ffee0 a1=0 a2=1 a3=8 items=0 ppid=23309 pid=23329 auid=4294967295 uid=995 gid=996 euid=995 suid=995 fsuid=995 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="zabbix_proxy" exe="/usr/sbin/zabbix_proxy_sqlite3" subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(1398869892.560:41199): avc:  denied  { read } for  pid=23329 comm="zabbix_proxy" name="snmptt.log" dev="dm-5" ino=133641 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

I don't understand SELinux.

Anyone knows what flag i need to activate on file to avoid this file access denied messages from SELinux ???

Best Answer

Unfortunately, there's no such "flag". The closest would be a boolean, and according the zabbix_selinux(8) manpage, there's no boolean defined to grant read access to a log file in an arbitrary location.

You don't give details regarding the actual labeling of the files under the /var/log/snmptt/ directory. The expected labeling may or may not match the expected label of other SNMP related log files, as per semanage():

# semanage fcontext -l | grep '/var/log/snmp'
/var/log/snmpd\.log.*           regular file       system_u:object_r:snmpd_log_t:s0

The solution, then, would be to grant zabbix read access to those logfiles. Filter you audit log using audit2allow(1):

# echo "
> time->Wed Apr 30 09:58:11 2014
> type=SYSCALL msg=audit(1398869891.560:41198): arch=c000003e syscall=2 success=no exit=-13 a0=16ffee0 a1=0 a2=1 a3=8 items=0 ppid=23309 pid=23329 auid=4294967295 uid=995 gid=996 euid=995 suid=995 fsuid=995 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="zabbix_proxy" exe="/usr/sbin/zabbix_proxy_sqlite3" subj=system_u:system_r:zabbix_t:s0 key=(null)
> type=AVC msg=audit(1398869891.560:41198): avc:  denied  { read } for  pid=23329 comm="zabbix_proxy" name="snmptt.log" dev="dm-5" ino=133641 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
> ----
> time->Wed Apr 30 09:58:12 2014
> type=SYSCALL msg=audit(1398869892.560:41199): arch=c000003e syscall=2 success=no exit=-13 a0=16ffee0 a1=0 a2=1 a3=8 items=0 ppid=23309 pid=23329 auid=4294967295 uid=995 gid=996 euid=995 suid=995 fsuid=995 egid=996 sgid=996 fsgid=996 ses=4294967295 tty=(none) comm="zabbix_proxy" exe="/usr/sbin/zabbix_proxy_sqlite3" subj=system_u:system_r:zabbix_t:s0 key=(null)
> type=AVC msg=audit(1398869892.560:41199): avc:  denied  { read } for  pid=23329 comm="zabbix_proxy" name="snmptt.log" dev="dm-5" ino=133641 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
> " | audit2allow


#============= zabbix_t ==============
allow zabbix_t var_log_t:file read;

The procedure to build a custom module is detailed in the audit2allow(1) manpage.

You'd normally build a module, install or update it, and test the behavior of your application under the new security restrictions, and further refine the module. This is easily done putting your machine in permissive mode while you test/develop a new module. Use setenforce(8) to do that.

Related Topic