Description of problem: Tried to run the ping test tool on a host in zabbix. Fails with the following selinux denial: type=AVC msg=audit(1296640191.942:48649): avc: denied { read } for pid=19367 comm="fping" path="/tmp/zabbix_server_29506.pinger" dev=tmpfs ino=76117788 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file zabbix context: unconfined_u:system_r:initrc_t:s0 zabbix 29501 29485 0 Jan27 ? 00:00:08 zabbix_server_mysql Version-Release number of selected component (if applicable): zabbix-1.8.4-1.fc14.x86_64 selinux-policy-3.9.7-25.fc14.noarch How reproducible: Every time
zabbix should have policy? Where is the zabbix executable and what label does it have on it?
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/zabbix_agent -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/zabbix_agentd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/zabbix_server_mysql I'm guessing it doesn't have any policy at the moment.
there is a policy in modules/services/zabbix.* in the fedora selinux-policy git
Maybe we have a mismatch on the names. /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) Has the server been renamed to zabbix_agentd?
(In reply to comment #4) > Maybe we have a mismatch on the names. > > /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) > > Has the server been renamed to zabbix_agentd? no, but there are 3 servers (one per DB backend) for quite some time /usr/sbin/zabbix_server_mysql /usr/sbin/zabbix_server_pgsql /usr/sbin/zabbix_server_sqlite3
Added context for /usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) /usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) /usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) The zabbix server should not be using /tmp for files.
If you chcon -t zabbix_exec_t /usr/sbin/zabbix_server_mysql Does the AVC go away?
(In reply to comment #7) > If you > > chcon -t zabbix_exec_t /usr/sbin/zabbix_server_mysql > > Does the AVC go away? The server doesn't start. Perhaps we are getting ahead of policy on F14? zabbix_server.log: zabbix_server_mysql [5673]: Unable to set process priority to 5. Leaving default. zabbix_server_mysql [5673]: Can not create Semaphore [Permission denied] zabbix_server_mysql [5673]: Unable to create mutex for log file Nothing in audit.log, even after semodule -DB.
After quick look it looks like we could go with these labels. But I am interested to look at zabbix more since I think additional changes will be needed in zabbix policy. Orion, just try to switch to permissive mode and we will see if this is SELinux issue.
Starts fine (and ping test works) in permissive mode, but I still don't see any messages in audit.log for the startup failure.
I think my bug (bug #710343) may be relevant. This includes some AVC denials on startup for the setprio() call.
It looks like we might want to run /usr/sbin/zabbix_server_mysql If we do not want to give the following to zabbix. allow zabbix_t self:capability { dac_read_search dac_override }; allow zabbix_t self:process setsched; allow zabbix_t sysctl_kernel_t:dir search;
Miroslav I added these rules to Rawhide, Probably should back port to F14, F15, and RHEL6. Maybe eventually we break up zabbix into multiple domains, but it already has setuid/setgid, so dac overrides are not adding much access.
*** Bug 710343 has been marked as a duplicate of this bug. ***