Zabbix, SE Linux, httpd_t /bin/ps?

Stephen Smalley sds at tycho.nsa.gov
Mon Mar 12 13:32:33 UTC 2007


On Fri, 2007-03-09 at 23:16 -0500, Brian Clark wrote:
> Hi fedora-list,
> 
> I'm fairly new to Fedora, migrating from Fedora Core 1 to 6. My surprise
> was SE Linux.

fedora-selinux-list is the right list for selinux questions.
Also see
http://fedoraproject.org/wiki/SELinux/
http://selinux.sourceforge.net/resources.php3

> I've installed Zabbix, and /zabbix/report1.php shows the zabbix server
> as not running. But it is running:
> 
> root at pettingzoo:/etc/selinux# pidof zabbix_server 
> 21727 21726 21724 21723 21722 21720 21718 21716 21714 21713 21710
> 
> When I reload the aforementioned php page, I notice that the messages
> log is spewing this:
> 
> Mar  9 22:49:33 pettingzoo kernel: audit(1173498572.994:1158): avc:
> denied  { getattr } for  pid=22546 comm="ps" name="22539" dev=proc
> ino=1477115906 scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=dir
> 
> root at pettingzoo:/etc/selinux# pidof zabbix_agentd 
> 21964 21963 21962 21961 21960 21958
> 
> I'm assuming comm="ps" indicates that report1.php is trying to access
> /bin/ps to determine if the server is running. Does scontext mean
> "source context"? I'll assume tcontext is "target context".

Yes.  A "ps" process with pid 22546 running in httpd_t tried to
access /proc information about a process with pid 22539 running in
unconfined_t, and this wasn't allowed by policy.

> I've confirmed that report1.php is trying to obtain the status via
> get_status() in config.inc.php:
> 
>    // server
>    if( (exec("ps -ef|grep zabbix_server|grep -v grep|wc -l")>0) ||
>       (exec("ps -ax|grep zabbix_server|grep -v grep|wc -l")>0) )
>    {  
>       $status["zabbix_server"] = S_YES;
>    }
>    else
>    {  
>       $status["zabbix_server"] = S_NO;
>    }
> 
> 
> 1. I think I want to know how I can allow only zabbix's web application
> access to /bin/ps (or exec() or anything else it needs) without opening
> that up for everything httpd_t. Possible?

Requires running the script in a separate process (better) or
introducing an apache module that switches security context around the
script invocation (weak, but possibly better than nothing).

> 2. I'm trying to understand what unconfined_t is. I guess that
> zabbix_agentd is httpd_t and that it needs unconfined_t?

It sounds like report1.php is running in httpd_t (since it runs
in-process in your httpd server) and invoking ps from your description.
It tried to access the /proc state of another process that is running in
unconfined_t.  zabbix_server and zabbix_agentd would likely both be in
unconfined_t if they run as daemons (vs. being launched from httpd) and
don't have any domain defined.

> Is there anything wise I can do to remedy this, so that zabbix functions
> as it needs to, without defeating the purposes of SE Linux?

Putting the zabbix processes into their own domain, and then only
allowing httpd_t to interact with that domain instead of all of
unconfined_t would help.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-list mailing list