Zabbix, SE Linux, httpd_t /bin/ps?
Stephen Smalley
sds at tycho.nsa.gov
Mon Mar 12 13:32:33 UTC 2007
On Fri, 2007-03-09 at 23:16 -0500, Brian Clark wrote:
> Hi fedora-list,
>
> I'm fairly new to Fedora, migrating from Fedora Core 1 to 6. My surprise
> was SE Linux.
fedora-selinux-list is the right list for selinux questions.
Also see
http://fedoraproject.org/wiki/SELinux/
http://selinux.sourceforge.net/resources.php3
> I've installed Zabbix, and /zabbix/report1.php shows the zabbix server
> as not running. But it is running:
>
> root at pettingzoo:/etc/selinux# pidof zabbix_server
> 21727 21726 21724 21723 21722 21720 21718 21716 21714 21713 21710
>
> When I reload the aforementioned php page, I notice that the messages
> log is spewing this:
>
> Mar 9 22:49:33 pettingzoo kernel: audit(1173498572.994:1158): avc:
> denied { getattr } for pid=22546 comm="ps" name="22539" dev=proc
> ino=1477115906 scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=dir
>
> root at pettingzoo:/etc/selinux# pidof zabbix_agentd
> 21964 21963 21962 21961 21960 21958
>
> I'm assuming comm="ps" indicates that report1.php is trying to access
> /bin/ps to determine if the server is running. Does scontext mean
> "source context"? I'll assume tcontext is "target context".
Yes. A "ps" process with pid 22546 running in httpd_t tried to
access /proc information about a process with pid 22539 running in
unconfined_t, and this wasn't allowed by policy.
> I've confirmed that report1.php is trying to obtain the status via
> get_status() in config.inc.php:
>
> // server
> if( (exec("ps -ef|grep zabbix_server|grep -v grep|wc -l")>0) ||
> (exec("ps -ax|grep zabbix_server|grep -v grep|wc -l")>0) )
> {
> $status["zabbix_server"] = S_YES;
> }
> else
> {
> $status["zabbix_server"] = S_NO;
> }
>
>
> 1. I think I want to know how I can allow only zabbix's web application
> access to /bin/ps (or exec() or anything else it needs) without opening
> that up for everything httpd_t. Possible?
Requires running the script in a separate process (better) or
introducing an apache module that switches security context around the
script invocation (weak, but possibly better than nothing).
> 2. I'm trying to understand what unconfined_t is. I guess that
> zabbix_agentd is httpd_t and that it needs unconfined_t?
It sounds like report1.php is running in httpd_t (since it runs
in-process in your httpd server) and invoking ps from your description.
It tried to access the /proc state of another process that is running in
unconfined_t. zabbix_server and zabbix_agentd would likely both be in
unconfined_t if they run as daemons (vs. being launched from httpd) and
don't have any domain defined.
> Is there anything wise I can do to remedy this, so that zabbix functions
> as it needs to, without defeating the purposes of SE Linux?
Putting the zabbix processes into their own domain, and then only
allowing httpd_t to interact with that domain instead of all of
unconfined_t would help.
--
Stephen Smalley
National Security Agency
More information about the fedora-list
mailing list