1074887 – SELinux is preventing /usr/sbin/zabbix_server_pgsql from create access on the unix_dgram_socket

Bug 1074887 - SELinux is preventing /usr/sbin/zabbix_server_pgsql from create access on the unix_dgram_socket

Summary: SELinux is preventing /usr/sbin/zabbix_server_pgsql from create access on the...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-03-11 08:09 UTC by Juan Orti Alcaine
Modified:	2014-03-21 09:26 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.12.1-135.fc20
Clone Of:
Environment:
Last Closed:	2014-03-21 09:26:19 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Juan Orti Alcaine 2014-03-11 08:09:56 UTC

SELinux is preventing /usr/sbin/zabbix_server_pgsql from create access on the unix_dgram_socket .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that zabbix_server_pgsql should be allowed create access on the  unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep zabbix_server /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:zabbix_t:s0
Target Context                system_u:system_r:zabbix_t:s0
Target Objects                 [ unix_dgram_socket ]
Source                        zabbix_server
Source Path                   /usr/sbin/zabbix_server_pgsql
Port                          <Unknown>
Host                          <removed>
Source RPM Packages           zabbix-server-pgsql-2.0.10-2.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-122.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <removed>
Platform                      Linux <removed> 3.13.6-200.fc20.x86_64 #1
                              SMP Fri Mar 7 17:02:28 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-03-11 09:03:06 CET
Last Seen                     2014-03-11 09:03:06 CET
Local ID                      1f4cad4d-8df0-443e-be92-b7470e65390f

Raw Audit Messages
type=AVC msg=audit(1394524986.478:8274): avc:  denied  { create } for  pid=6879 comm="zabbix_server" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=unix_dgram_socket


type=SYSCALL msg=audit(1394524986.478:8274): arch=x86_64 syscall=socket success=no exit=EACCES a0=1 a1=80002 a2=0 a3=37 items=0 ppid=1 pid=6879 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 ses=4294967295 tty=(none) comm=zabbix_server exe=/usr/sbin/zabbix_server_pgsql subj=system_u:system_r:zabbix_t:s0 key=(null)

Hash: zabbix_server,zabbix_t,zabbix_t,unix_dgram_socket,create

Comment 1 Miroslav Grepl 2014-03-11 14:28:18 UTC

commit 1c1fa654f07c8bfc21c02f265ce2a0d957c908b1
Author: Miroslav Grepl <mgrepl>
Date:   Tue Mar 11 15:28:03 2014 +0100

    Allow zabbix to send system log msgs

Comment 2 Fedora Update System 2014-03-12 07:20:47 UTC

selinux-policy-3.12.1-135.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-135.fc20

Comment 3 Fedora Update System 2014-03-13 05:11:41 UTC

Package selinux-policy-3.12.1-135.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-135.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3813/selinux-policy-3.12.1-135.fc20
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2014-03-21 09:26:19 UTC

selinux-policy-3.12.1-135.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.