Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Idempotentifies "Add SEmodule to fix SELinux issue: zabbix_alerter.sock" task for Zabbix Server #1433

Closed
wants to merge 13 commits into from

Conversation

tux-repos
Copy link

SUMMARY

The way SELinux was initially applied resulted in a "CHANGED" every time the task was executed.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

zabbix_server

ADDITIONAL INFORMATION

Originally the SELinux context was applied using a .bsx file, this seems to be some sort of self-extracting shell script.
I have taken the steps that were used in that file and translated them into Ansible tasks, this also makes the play more transparent and also idempotent.

With a little bit of elbow grease you could apply these same steps for #1340 and resolve this issue as it stems from the same cause.

@eb4x
Copy link
Collaborator

eb4x commented Dec 19, 2024

I've been meaning of getting around to that annoying selinux compiled file, cause I'm not that fond of it either. If you've reversed its content and it's represented in the .te file you provided, maybe we should just drop this part completely and install the zabbix-selinux-policy package from zabbix themselves?

https://www.zabbix.com/documentation/current/en/manual/installation/install_from_packages/rhel#selinux-configuration

I've just held off on this because it might break the original contributors setup, but the contents of zabbix-selinux-policy seems to have most of it covered, provided here for convenience;

module zabbix_policy 1.2;
require {
  type zabbix_t;
  type zabbix_port_t;
  type zabbix_var_run_t;
  type postgresql_port_t;
  type httpd_t;
  class tcp_socket name_connect;
  class sock_file { create unlink };
  class unix_stream_socket connectto;
}
#============= zabbix_t ==============
allow zabbix_t self:unix_stream_socket connectto;
allow zabbix_t zabbix_port_t:tcp_socket name_connect;
allow zabbix_t zabbix_var_run_t:sock_file create;
allow zabbix_t zabbix_var_run_t:sock_file unlink;
allow httpd_t zabbix_port_t:tcp_socket name_connect;
#============= httpd_t ==============
allow httpd_t postgresql_port_t:tcp_socket name_connect;

Curious to know what @pyrodie18 and @BGmot think?

@eb4x
Copy link
Collaborator

eb4x commented Dec 21, 2024

I had a second look, and extracted the tar.gz archive from the .bsx file, and saw the contents of it. So all that checks out. Then I had a third look, and we're already installing the zabbix-selinux-policy package for zabbix_server.

I think the correct approach is just to remove the .bsx script tasks all together in zabbix_server. Then do the same for zabbix_proxy, and make sure we install the zabbix-selinux-policy there aswell.

Where is this zabbix_proxy_alerter.sock in #1340 even getting created at this point? From what I can tell, it's just bad configuration where its path is set to /tmp instead of /var/lib/zabbix, or atleast that's what I've gathered from this other sock related issue; https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-write-access-on-the-sock_file-4175710406/

@tux-repos
Copy link
Author

Oh wow, totally skipped over that because I had my attention on the .bsx task. I think you're right, these tasks are superfluous in that case. Much more convenient fix to just snip it out :)

@eb4x
Copy link
Collaborator

eb4x commented Dec 23, 2024

Oh wow, totally skipped over that because I had my attention on the .bsx task. I think you're right, these tasks are superfluous in that case. Much more convenient fix to just snip it out :)

You wanna take a second stab at this and strip the task out instead?

@tux-repos
Copy link
Author

Made a new PR with a clean fork; closing this one

@tux-repos tux-repos closed this Dec 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants