Bug 1053205

Summary: Support for zabbix 2.2
Product: Red Hat Enterprise Linux 6 Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.5CC: dwalsh, lvrabec, mdavis, mmalik, rstory, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-247.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 07:59:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2014-01-14 20:44:06 UTC 
Description of problem:

I'm reviewing/testing zabbix22 for EPEL6 and I'm seeing the following:

type=AVC msg=audit(1389731653.397:317): avc:  denied  { write } for  pid=2398 comm="zabbix_server" name="tmp" dev=vda2 ino=267295 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1389732007.050:3917): avc:  denied  { add_name } for  pid=2398 comm="zabbix_server" name="zabbix_server_2398.pinger" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1389732009.583:3918): avc:  denied  { remove_name } for  pid=2398 comm="zabbix_server" name="zabbix_server_2398.pinger" dev=vda2 ino=264501 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

This version of zabbix has its own tmp dir:

# ls -ldZ /var/lib/zabbixsrv/tmp/
drwxr-x---. zabbixsrv zabbixsrv system_u:object_r:var_lib_t:s0   /var/lib/zabbixsrv/tmp/

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-231.el6.noarch

Also, I think I've reported this elsewhere as well, but the agent wants to see what processes are running but can't:

type=AVC msg=audit(1389731872.846:3882): avc:  denied  { getattr } for  pid=1616 comm="zabbix_agentd" path="/proc/1673/cmdline" dev=proc ino=15378 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:puppet_t:s0 tclass=file
type=AVC msg=audit(1389731872.846:3883): avc:  denied  { read } for  pid=1616 comm="zabbix_agentd" name="cmdline" dev=proc ino=15378 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:puppet_t:s0 tclass=file
type=AVC msg=audit(1389731872.846:3883): avc:  denied  { open } for  pid=1616 comm="zabbix_agentd" name="cmdline" dev=proc ino=15378 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:puppet_t:s0 tclass=file
Comment 2 Miroslav Grepl 2014-01-15 11:05:37 UTC 
We need to add all changes from Fedora/RHEL7 to RHEL6.
Comment 3 Orion Poplawski 2014-03-06 16:47:53 UTC 
Any progress here?  The /proc issue in particular is causing issues with the agent not being able to see what is running.  Thanks.
Comment 4 Orion Poplawski 2014-05-12 15:17:06 UTC 
Looking much better with 3.7.19-235.el6, thanks.
Comment 5 Orion Poplawski 2014-05-21 22:27:08 UTC 
I think we may still be missing labelling /var/log/zabbixsrv with zabbix_log_t, and /var/lib/zabbixsrv with ?.
Comment 6 Daniel Walsh 2014-05-25 10:51:52 UTC 
6ad0c8b0fd802bfaf1d88546da3811024a8e3259 makes show that anything /var/log/zabbix.* gets this label.
Comment 9 Lukas Vrabec 2014-07-24 09:12:52 UTC 
patch sent.
Comment 12 Orion Poplawski 2014-08-04 16:04:16 UTC 
Is this version available for testing anywhere?  http://people.redhat.com/dwalsh/SELinux/RHEL6 is still at -235.
Comment 13 rstory 2014-09-29 03:28:05 UTC 
I have the tmp issue with zabbix20-2.0.12-2.el6.x86_64 from epel. Can I jump on the bandwagon here, or should I open another bug?

# semodule -l|grep zab
zabbix  1.2.0

type=AVC msg=audit(1411960498.800:626057): avc:  denied  { write } for  pid=2078 comm="zabbix_server" name="tmp" dev=dm-0 ino=265028 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

# find /var/lib/ -inum 265028
/var/lib/zabbixsrv/tmp
Comment 14 Orion Poplawski 2014-09-29 23:06:10 UTC 
Still have issues with selinux-policy-3.7.19-251.el6.noarch

type=AVC msg=audit(1412031795.159:696259): avc:  denied  { read } for  pid=7596 comm="zabbix_server" name="zabbix_server.log" dev=dm-2 ino=655532 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

drwxrwxr-x. root zabbixsrv system_u:object_r:var_log_t:s0   /var/log/zabbixsrv


type=AVC msg=audit(1412031921.258:696276): avc:  denied  { read } for  pid=7825 comm="fping" path="/var/lib/zabbixsrv/tmp/zabbix_server_7796.pinger" dev=dm-2 ino=131270 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:zabbix_var_lib_t:s0 tclass=file
Comment 15 errata-xmlrpc 2014-10-14 07:59:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html