2

I know there are several topics about fping and zabbix, but I've read through them all and I am still having trouble getting something that should be pretty simple working.

I am trying to do a simple ping test from a host (that's running zabbix agent) to an external host.

In my zabbix_agentd.conf file I have setup a UserParameter such as:

UserParameter=vpnPing[*],fping $1 |grep -c alive

My fping permissions are as such:

# ls -l /sbin/fping
-rwsr-sr-x. 1 root zabbix 52904 Aug 5 2019 /sbin/fping

If I run the zabbix_agentd test I get (fake ip listed for example purposes)

# zabbix_agentd -t vpnPing[123.456.78.901]
vpnPing[123.456.78.901] [t|1]

So that seems to work.

When I go to the zabbix UI and look at the latest data I see:

2020-06-04 17:55:30 sh: /usr/sbin/fping: Permission denied
0

The interesting this is the 0 at the bottom. I've also seen it be 1 at times. That sounds like something is working, but I don't get why I get the permission denied.

Also when I look at the audit log I see:

type=AVC msg=audit(1591330891.927:15933): avc:  denied  { execute } for  pid=52320 comm="sh" name="fping" dev="nvme0n1p2" ino=8410299 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1591330891.927:15933): arch=c000003e syscall=21 success=no exit=-13 a0=5601874ee450 a1=1 a2=7ffe62a48db0 a3=0 items=0 ppid=52319 pid=52320 auid=4294967295 uid=990 gid=988 euid=990 suid=990 fsuid=990 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)ARCH=x86_64 SYSCALL=access AUID="unset" UID="zabbix" GID="zabbix" EUID="zabbix" SUID="zabbix" FSUID="zabbix" EGID="zabbix" SGID="zabbix" FSGID="zabbix"
type=PROCTITLE msg=audit(1591330891.927:15933): proctitle=7368002D63006670696E67203136372E3134342E38392E323238207C67726570202D6320616C697665

I'm running RHEL 8.2.

# zabbix_agentd -V
zabbix_agentd (daemon) (Zabbix) 4.4.9

$ zabbix_server -V
zabbix_server (Zabbix) 4.4.9

# fping -v
fping: Version 3.16

I have the Item in Zabbix configured as Type: Zabbix agent

If I try: 

zabbix_get -s [my_zabbix_server_ip] -k vpnPing[123.456.78.901]

it does timeout (not sure why as I can ping it just fine normally): zabbix_get [30549]: Timeout while executing operation

But not sure that last part with zabbix_get is relevant b/c the checks to seem to be getting back to the zabbix server but it just says permission denied.

I've been struggling with this for a while now and hoping someone can help me out?

Vishal Shah
  • 21
  • 3
  • 1
    please do `su - zabbix` and run `usr/sbin/fping IP` and share the output. – binarysta Jun 05 '20 at 02:27
  • # sudo -u zabbix /usr/sbin/fping 123.456.78.901 123.456.78.901 is alive. – Vishal Shah Jun 05 '20 at 02:51
  • Thanks for your response @binarysta. I can run it that way as above as zabbix user. With the default install of Zabbix - the zabbix user is setup as /sbin/nologin. so su - zabbix doesn't work. – Vishal Shah Jun 05 '20 at 02:52
  • I can also run su -s /bin/bash zabbix and then run fping IP and it works as well. – Vishal Shah Jun 05 '20 at 03:40
  • I see from logs that `tcontext` is not correct, `tcontext=system_ubject_ring_exec_t:s0` while it should be`tcontext=system_u:object_r:ping_exec_t:s0`. please change and try again. – binarysta Jun 05 '20 at 04:02
  • Hi - not sure why the logs show it incorrectly, but when I do an ls -lZ /sbin/fping it shows # ls -lZ /sbin/fping -rwsr-sr-x. 1 root zabbix system_u:object_r:ping_exec_t:s0 52904 Aug 5 2019 /sbin/fping – Vishal Shah Jun 05 '20 at 04:15
  • I think maybe a copy/paste messed up the log file excerpt, but I've edited the original description to show it. Here it is as well. It seems in line with what you stated it should be. – Vishal Shah Jun 05 '20 at 04:24
  • type=AVC msg=audit(1591330891.927:15933): avc: denied { execute } for pid=52320 comm="sh" name="fping" dev="nvme0n1p2" ino=8410299 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1591330891.927:15933): arch=c000003e syscall=21 success=no exit=-13 a0=5601874ee450 a1=1 a2=7ffe62a48db0 a3=0 items=0 ppid=52319 pid=52320 auid=4294967295 uid=990 gid=988 euid=990 suid=990 fsuid=990 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:zabbix_agent_t:s0 – Vishal Shah Jun 05 '20 at 04:24
  • Referencing fping as "fping" relies on the pathspec including /shin which normally it does not for standard users. Try with "/sbin/fping" (or /usr/sbin depending on where it is). Also take care with letting zabbix run suid binaries .. – Pedro Jun 05 '20 at 10:03
  • Hi Pedro - thanks for the reply. I've tried it with /sbin/fping and I'm still getting the same permission denied error. – Vishal Shah Jun 05 '20 at 15:49
  • I believe I'm come closer to figuring this out. If I set the zabbix_agent_t to permissive mode it works. So it's definitely the SE linux policy. I'll setup the rules to make sure what I need is allowed. Thank you everyone for your help. – Vishal Shah Jun 08 '20 at 16:21

1 Answers1

0

As stated in the comments - your problem is most likely related to SElinux on RHEL8.

My solution was to circumvent SElinux with sudo as such:

$ grep ^zabbix /etc/sudoers

zabbix  ALL=NOPASSWD:/usr/sbin/hddtemp, /usr/sbin/smartctl, /usr/bin/fping

and call the fping with sudo in front. Same goes for smartctl amd hddtemp

Roman Spiak
  • 289
  • 1
  • 6