zabbix-agent can't sudo with selinux-policy-3.13.1-229.el7_6.6

Question

zabbix-agent can't sudo with selinux-policy-3.13.1-229.el7_6.6

hairmare opened this issue 6 years ago · 0 comments

Some new policy seems to have been enforced and sudo (in UserParameters) for things like some app/lvm template are getting denied.

The new(?) SELinux bools don't seem to work. I tried:

setsebool zabbix_run_sudo=1
setsebool domain_kernel_load_modules=1

The current workaround is to semanage permissive -a zabbix_agent_t until we can fix our rabezbxzabbixagent SELinux module to let the zabbix user use sudo to run things like lvs.

On some investigation I found that this might be specific and due to how our pam stack is configured as the servers are configured as part of a freeipa domain.

I'm preparing a pr to address this and it should be ready after some more testing.