Hello,
i try to use a script for zabbix.
In the first try i get this message when i try to use the script:
sh: /usr/bin/sudo: no permission
I made new selinux policys with audit2allow -a and then semodule -i.
Here are the new policys that i added:
Quote:
module zabbix_sudo 1.0;
require {
type tmp_t;
type kernel_t;
type mysqld_var_run_t;
type devlog_t;
type mysqld_etc_t;
type cluster_tmpfs_t;
type sudo_exec_t;
type zabbix_agent_t;
class capability { sys_resource audit_write dac_override };
class file { write execute read create unlink open execute_no_trans };
class netlink_audit_socket { nlmsg_relay create };
class sock_file write;
class unix_dgram_socket { create connect sendto };
class dir { write remove_name add_name };
}
#============= zabbix_agent_t ==============
allow zabbix_agent_t cluster_tmpfs_t:file { read write open };
allow zabbix_agent_t devlog_t:sock_file write;
allow zabbix_agent_t kernel_t:unix_dgram_socket sendto;
allow zabbix_agent_t mysqld_etc_t:file read;
allow zabbix_agent_t mysqld_var_run_t:sock_file write;
allow zabbix_agent_t self:capability { sys_resource audit_write dac_override };
allow zabbix_agent_t self:netlink_audit_socket { nlmsg_relay create };
allow zabbix_agent_t self:unix_dgram_socket { create connect };
allow zabbix_agent_t sudo_exec_t:file { execute execute_no_trans };
allow zabbix_agent_t tmp_t:dir { write remove_name add_name };
allow zabbix_agent_t tmp_t:file { write create unlink open };
|
After this when i try to execute the script i get this message:
sudo: unable to send audit message: Permission denied
If i set zabix_agent_t permissive everything works fine.
Here some additional informations:
- user zabbix is in sudoers group
- i get the same messages if i try it as normal root user
- semodule zabbix is enabled
Thank you in advance for your help.
(Please excuse my bad english
)
