Zabbix, SE Linux, httpd_t /bin/ps?
Brian Clark
brian+nevdull at unwell.org
Sat Mar 10 04:16:53 UTC 2007
Hi fedora-list,
I'm fairly new to Fedora, migrating from Fedora Core 1 to 6. My surprise
was SE Linux.
I've installed Zabbix, and /zabbix/report1.php shows the zabbix server
as not running. But it is running:
root at pettingzoo:/etc/selinux# pidof zabbix_server
21727 21726 21724 21723 21722 21720 21718 21716 21714 21713 21710
When I reload the aforementioned php page, I notice that the messages
log is spewing this:
Mar 9 22:49:33 pettingzoo kernel: audit(1173498572.994:1158): avc:
denied { getattr } for pid=22546 comm="ps" name="22539" dev=proc
ino=1477115906 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=dir
root at pettingzoo:/etc/selinux# pidof zabbix_agentd
21964 21963 21962 21961 21960 21958
I'm assuming comm="ps" indicates that report1.php is trying to access
/bin/ps to determine if the server is running. Does scontext mean
"source context"? I'll assume tcontext is "target context".
I've confirmed that report1.php is trying to obtain the status via
get_status() in config.inc.php:
// server
if( (exec("ps -ef|grep zabbix_server|grep -v grep|wc -l")>0) ||
(exec("ps -ax|grep zabbix_server|grep -v grep|wc -l")>0) )
{
$status["zabbix_server"] = S_YES;
}
else
{
$status["zabbix_server"] = S_NO;
}
1. I think I want to know how I can allow only zabbix's web application
access to /bin/ps (or exec() or anything else it needs) without opening
that up for everything httpd_t. Possible?
2. I'm trying to understand what unconfined_t is. I guess that
zabbix_agentd is httpd_t and that it needs unconfined_t?
Is there anything wise I can do to remedy this, so that zabbix functions
as it needs to, without defeating the purposes of SE Linux?
Thanks for any clues.
--
Brian Clark
More information about the fedora-list
mailing list