Bug 1330479 - zabbix can not listen on the postgresql port 5432/tcp
Summary: zabbix can not listen on the postgresql port 5432/tcp
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Simon Sekidde
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-26 10:22 UTC by Patrik Uytterhoeven
Modified: 2016-11-04 02:27 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-73.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 02:27:14 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Patrik Uytterhoeven 2016-04-26 10:22:04 UTC 
Description of problem:
Zabbix is not able to monitor the port status of postgresql



How reproducible:
create an zabbix item to listen for tcp connections on port 5432 on the postgresql server item: net.tcp.port[,5432]



Actual results:

port status will be 0 instead of 1 in zabbix. Zabbix should be allowed to read port status from any service else this will happend with more applications.


Expected results:

port status 1

Additional info:

sealert returns this

SELinux is preventing /usr/pgsql-9.3/bin/psql from name_connect access on the tcp_socket port 5432.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that psql should be allowed name_connect access on the port 5432 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep psql /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:zabbix_agent_t:s0
Target Context                system_u:object_r:postgresql_port_t:s0
Target Objects                port 5432 [ tcp_socket ]
Source                        psql
Source Path                   /usr/pgsql-9.3/bin/psql
Port                          5432
Host                          <Unknown>
Source RPM Packages           postgresql93-9.3.10-1PGDG.rhel7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-60.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     *********
Platform                      Linux ****** 3.10.0-327.4.5.el7.x86_64 #1 SMP
                              Thu Jan 21 04:10:29 EST 2016 x86_64 x86_64
Alert Count                   5379
First Seen                    2016-04-26 09:10:58 CEST
Last Seen                     2016-04-26 11:47:55 CEST
Local ID                      9c94ff65-ec86-4e41-aed8-f8faae1d6e31

Raw Audit Messages
type=AVC msg=audit(1461664075.911:557468): avc:  denied  { name_connect } for  pid=26354 comm="psql" dest=5432 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1461664075.911:557468): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=11be8e0 a2=10 a3=7ffdbe7b1fd0 items=0 ppid=26353 pid=26354 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=psql exe=/usr/pgsql-9.3/bin/psql subj=system_u:system_r:zabbix_agent_t:s0 key=(null)

Hash: psql,zabbix_agent_t,postgresql_port_t,tcp_socket,name_connect
Comment 8 errata-xmlrpc 2016-11-04 02:27:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Note You need to log in before you can comment on or make changes to this bug.