Bug 752482

Summary: Lots of SELinux denials for zabbix_server
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-64.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 01:05:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
audit denials none

Description Orion Poplawski 2011-11-09 16:22:03 UTC 
Created attachment 532605 [details]
audit denials

Description of problem:

There are lots of denials starting up zabbix_server on F16 that prevent normal operation.  I've attached the denials running in permissive mode.

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-51.fc16.noarch
zabbix-server-1.8.8-1.fc16.x86_64
Comment 1 Miroslav Grepl 2011-11-21 09:01:45 UTC 
I added fixes to selinux-policy-3.10.0-58.fc16, but I needs to re-write this policy in Rawhide finally.
Comment 2 Orion Poplawski 2011-11-21 19:21:15 UTC 
That looks a lot better but I still see:

type=AVC msg=audit(1321903053.331:64): avc:  denied  { read } for  pid=1745 comm="fping" path="/tmp/zabbix_server_mysql_1717.pinger" dev=tmpfs ino=18325 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:zabbix_tmp_t:s0 tclass=file
type=AVC msg=audit(1321903053.342:65): avc:  denied  { read } for  pid=1746 comm="fping6" path="/tmp/zabbix_server_mysql_1717.pinger" dev=tmpfs ino=18325 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:zabbix_tmp_t:s0 tclass=file

Looks like bug 674627 again?
Comment 3 Miroslav Grepl 2011-11-23 07:44:15 UTC 
Does everything work? 

It looks like a leak fd. Could you add full AVC msgs. I would like to see "syscall" and "success" field.
Comment 4 Orion Poplawski 2011-11-23 15:55:07 UTC 
Ah, yes it does work in enforcing.  AVCs:

type=AVC msg=audit(1322063623.572:878054): avc:  denied  { read } for  pid=21722 comm="fping" path="/tmp/zabbix_server_mysql_1231.pinger" dev=tmpfs ino=8056164 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:zabbix_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1322063623.572:878054): arch=c000003e syscall=59 success=yes exit=0 a0=cdc450 a1=cdb360 a2=cdaf90 a3=0 items=0 ppid=21721 pid=21722 auid=4294967295 uid=999 gid=999 euid=0 suid=0 fsuid=0 egid=999 sgid=999 fsgid=999 tty=(none) ses=4294967295 comm="fping" exe="/usr/sbin/fping" subj=system_u:system_r:ping_t:s0 key=(null)
type=AVC msg=audit(1322063623.575:878055): avc:  denied  { read } for  pid=21723 comm="fping6" path="/tmp/zabbix_server_mysql_1231.pinger" dev=tmpfs ino=8056164 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:zabbix_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1322063623.575:878055): arch=c000003e syscall=59 success=yes exit=0 a0=cdc6b0 a1=cdb360 a2=cdc6d0 a3=0 items=0 ppid=21721 pid=21723 auid=4294967295 uid=999 gid=999 euid=0 suid=0 fsuid=0 egid=999 sgid=999 fsgid=999 tty=(none) ses=4294967295 comm="fping6" exe="/usr/sbin/fping6" subj=system_u:system_r:ping_t:s0 key=(null)

I think zabbix creates a script in /tmp to call the ping commands with.
Comment 5 Daniel Walsh 2011-11-23 18:14:51 UTC 
This is a leaked file descriptor.  It looks like something is using the /tmp/zabbig_server_mysql... and executing ping, causing the link.
Comment 6 Orion Poplawski 2011-11-23 18:57:44 UTC 
Well, not really.  fping reads a lists of hosts from a file to ping.  /tmp/zabbix_server_mysql_1231.pinger is that list of hosts, so it is necessary to be read.
Comment 7 Orion Poplawski 2011-11-23 18:58:55 UTC 
I had just looked for errors in the log before, but I see now that it thinks hosts are down in enforcing mode.
Comment 8 Daniel Walsh 2011-11-23 20:08:45 UTC 
Orion can  you show me the command that it is executing for ping.
Comment 9 Orion Poplawski 2011-11-23 23:32:52 UTC 
basically popen("/usr/sbin/fping 2>&1 < /tmp/zabbix_server_mysql_1231.pinger", "r");

1231 is the thread id of the zabbix server process.
Comment 10 Daniel Walsh 2011-11-29 02:06:01 UTC 
Miroslav back port
acc56d2e69eb462a326562af02c14ca2eab2207e
Comment 11 Miroslav Grepl 2011-11-29 08:38:25 UTC 
Oops, I missed this one. Fixed in selinux-policy-3.10.0-63.fc16
Comment 12 Fedora Update System 2011-12-02 13:16:00 UTC 
selinux-policy-3.10.0-64.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-64.fc16
Comment 13 Fedora Update System 2011-12-04 02:32:01 UTC 
Package selinux-policy-3.10.0-64.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-64.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16698/selinux-policy-3.10.0-64.fc16
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2011-12-06 01:05:47 UTC 
selinux-policy-3.10.0-64.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.