Zabbix, SE Linux, httpd_t /bin/ps?

Brian Clark brian+nevdull at unwell.org
Sat Mar 10 04:16:53 UTC 2007


Hi fedora-list,

I'm fairly new to Fedora, migrating from Fedora Core 1 to 6. My surprise
was SE Linux.

I've installed Zabbix, and /zabbix/report1.php shows the zabbix server
as not running. But it is running:

root at pettingzoo:/etc/selinux# pidof zabbix_server 
21727 21726 21724 21723 21722 21720 21718 21716 21714 21713 21710

When I reload the aforementioned php page, I notice that the messages
log is spewing this:

Mar  9 22:49:33 pettingzoo kernel: audit(1173498572.994:1158): avc:
denied  { getattr } for  pid=22546 comm="ps" name="22539" dev=proc
ino=1477115906 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=dir

root at pettingzoo:/etc/selinux# pidof zabbix_agentd 
21964 21963 21962 21961 21960 21958

I'm assuming comm="ps" indicates that report1.php is trying to access
/bin/ps to determine if the server is running. Does scontext mean
"source context"? I'll assume tcontext is "target context".

I've confirmed that report1.php is trying to obtain the status via
get_status() in config.inc.php:

   // server
   if( (exec("ps -ef|grep zabbix_server|grep -v grep|wc -l")>0) ||
      (exec("ps -ax|grep zabbix_server|grep -v grep|wc -l")>0) )
   {  
      $status["zabbix_server"] = S_YES;
   }
   else
   {  
      $status["zabbix_server"] = S_NO;
   }


1. I think I want to know how I can allow only zabbix's web application
access to /bin/ps (or exec() or anything else it needs) without opening
that up for everything httpd_t. Possible?

2. I'm trying to understand what unconfined_t is. I guess that
zabbix_agentd is httpd_t and that it needs unconfined_t?

Is there anything wise I can do to remedy this, so that zabbix functions
as it needs to, without defeating the purposes of SE Linux?

Thanks for any clues.

-- 
Brian Clark




More information about the users mailing list