Zabbix, SE Linux, httpd_t /bin/ps?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi fedora-list,

I'm fairly new to Fedora, migrating from Fedora Core 1 to 6. My surprise
was SE Linux.

I've installed Zabbix, and /zabbix/report1.php shows the zabbix server
as not running. But it is running:

root@pettingzoo:/etc/selinux# pidof zabbix_server 
21727 21726 21724 21723 21722 21720 21718 21716 21714 21713 21710

When I reload the aforementioned php page, I notice that the messages
log is spewing this:

Mar  9 22:49:33 pettingzoo kernel: audit(1173498572.994:1158): avc:
denied  { getattr } for  pid=22546 comm="ps" name="22539" dev=proc
ino=1477115906 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=dir

root@pettingzoo:/etc/selinux# pidof zabbix_agentd 
21964 21963 21962 21961 21960 21958

I'm assuming comm="ps" indicates that report1.php is trying to access
/bin/ps to determine if the server is running. Does scontext mean
"source context"? I'll assume tcontext is "target context".

I've confirmed that report1.php is trying to obtain the status via
get_status() in config.inc.php:

   // server
   if( (exec("ps -ef|grep zabbix_server|grep -v grep|wc -l")>0) ||
      (exec("ps -ax|grep zabbix_server|grep -v grep|wc -l")>0) )
   {  
      $status["zabbix_server"] = S_YES;
   }
   else
   {  
      $status["zabbix_server"] = S_NO;
   }


1. I think I want to know how I can allow only zabbix's web application
access to /bin/ps (or exec() or anything else it needs) without opening
that up for everything httpd_t. Possible?

2. I'm trying to understand what unconfined_t is. I guess that
zabbix_agentd is httpd_t and that it needs unconfined_t?

Is there anything wise I can do to remedy this, so that zabbix functions
as it needs to, without defeating the purposes of SE Linux?

Thanks for any clues.

-- 
Brian Clark

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux