Zabbix, SE Linux, httpd_t /bin/ps?

Brian Clark brian+nevdull at
Sat Mar 10 04:16:53 UTC 2007

Hi fedora-list,

I'm fairly new to Fedora, migrating from Fedora Core 1 to 6. My surprise
was SE Linux.

I've installed Zabbix, and /zabbix/report1.php shows the zabbix server
as not running. But it is running:

root at pettingzoo:/etc/selinux# pidof zabbix_server 
21727 21726 21724 21723 21722 21720 21718 21716 21714 21713 21710

When I reload the aforementioned php page, I notice that the messages
log is spewing this:

Mar  9 22:49:33 pettingzoo kernel: audit(1173498572.994:1158): avc:
denied  { getattr } for  pid=22546 comm="ps" name="22539" dev=proc
ino=1477115906 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=dir

root at pettingzoo:/etc/selinux# pidof zabbix_agentd 
21964 21963 21962 21961 21960 21958

I'm assuming comm="ps" indicates that report1.php is trying to access
/bin/ps to determine if the server is running. Does scontext mean
"source context"? I'll assume tcontext is "target context".

I've confirmed that report1.php is trying to obtain the status via
get_status() in

   // server
   if( (exec("ps -ef|grep zabbix_server|grep -v grep|wc -l")>0) ||
      (exec("ps -ax|grep zabbix_server|grep -v grep|wc -l")>0) )
      $status["zabbix_server"] = S_YES;
      $status["zabbix_server"] = S_NO;

1. I think I want to know how I can allow only zabbix's web application
access to /bin/ps (or exec() or anything else it needs) without opening
that up for everything httpd_t. Possible?

2. I'm trying to understand what unconfined_t is. I guess that
zabbix_agentd is httpd_t and that it needs unconfined_t?

Is there anything wise I can do to remedy this, so that zabbix functions
as it needs to, without defeating the purposes of SE Linux?

Thanks for any clues.

Brian Clark

More information about the users mailing list