SELinux blocking sudo from zabbix_agentd
The way to handle this is to collect all the information about what access the program needs, and then explicitly allow only that access in a custom policy module.
This is fairly easy to do.
First, you set the domain permissive, so that SELinux temporarily does not enforce its rules. It will still log the denials, and later you will use these logs.
semanage permissive -a zabbix_agent_t
Next, let the program run and let it do whatever it needs to do. The audit log will fill up with what would have been denied, and these logs also show what permissions will need to be granted. Then view these logs with ausearch
.
ausearch -r -m avc -ts today
We'll generate a local policy module containing the necessary permissions. (You need to use the -r
option with ausearch
here so that the output can be processed by other scripts.)
If you saw clearly irrelevant entries, redirect the output to a file, and then edit it to remove them. Then use the file here instead.
ausearch -r -m avc -ts today | audit2allow -M zabbix_megacli
Finally, we install our new local policy module and re-enable SELinux enforcement.
semodule -i zabbix_megacli.pp
semanage permissive -d zabbix_agent_t