Created attachment 532605 [details] audit denials Description of problem: There are lots of denials starting up zabbix_server on F16 that prevent normal operation. I've attached the denials running in permissive mode. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-51.fc16.noarch zabbix-server-1.8.8-1.fc16.x86_64
I added fixes to selinux-policy-3.10.0-58.fc16, but I needs to re-write this policy in Rawhide finally.
That looks a lot better but I still see: type=AVC msg=audit(1321903053.331:64): avc: denied { read } for pid=1745 comm="fping" path="/tmp/zabbix_server_mysql_1717.pinger" dev=tmpfs ino=18325 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:zabbix_tmp_t:s0 tclass=file type=AVC msg=audit(1321903053.342:65): avc: denied { read } for pid=1746 comm="fping6" path="/tmp/zabbix_server_mysql_1717.pinger" dev=tmpfs ino=18325 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:zabbix_tmp_t:s0 tclass=file Looks like bug 674627 again?
Does everything work? It looks like a leak fd. Could you add full AVC msgs. I would like to see "syscall" and "success" field.
Ah, yes it does work in enforcing. AVCs: type=AVC msg=audit(1322063623.572:878054): avc: denied { read } for pid=21722 comm="fping" path="/tmp/zabbix_server_mysql_1231.pinger" dev=tmpfs ino=8056164 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:zabbix_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1322063623.572:878054): arch=c000003e syscall=59 success=yes exit=0 a0=cdc450 a1=cdb360 a2=cdaf90 a3=0 items=0 ppid=21721 pid=21722 auid=4294967295 uid=999 gid=999 euid=0 suid=0 fsuid=0 egid=999 sgid=999 fsgid=999 tty=(none) ses=4294967295 comm="fping" exe="/usr/sbin/fping" subj=system_u:system_r:ping_t:s0 key=(null) type=AVC msg=audit(1322063623.575:878055): avc: denied { read } for pid=21723 comm="fping6" path="/tmp/zabbix_server_mysql_1231.pinger" dev=tmpfs ino=8056164 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:zabbix_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1322063623.575:878055): arch=c000003e syscall=59 success=yes exit=0 a0=cdc6b0 a1=cdb360 a2=cdc6d0 a3=0 items=0 ppid=21721 pid=21723 auid=4294967295 uid=999 gid=999 euid=0 suid=0 fsuid=0 egid=999 sgid=999 fsgid=999 tty=(none) ses=4294967295 comm="fping6" exe="/usr/sbin/fping6" subj=system_u:system_r:ping_t:s0 key=(null) I think zabbix creates a script in /tmp to call the ping commands with.
This is a leaked file descriptor. It looks like something is using the /tmp/zabbig_server_mysql... and executing ping, causing the link.
Well, not really. fping reads a lists of hosts from a file to ping. /tmp/zabbix_server_mysql_1231.pinger is that list of hosts, so it is necessary to be read.
I had just looked for errors in the log before, but I see now that it thinks hosts are down in enforcing mode.
Orion can you show me the command that it is executing for ping.
basically popen("/usr/sbin/fping 2>&1 < /tmp/zabbix_server_mysql_1231.pinger", "r"); 1231 is the thread id of the zabbix server process.
Miroslav back port acc56d2e69eb462a326562af02c14ca2eab2207e
Oops, I missed this one. Fixed in selinux-policy-3.10.0-63.fc16
selinux-policy-3.10.0-64.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-64.fc16
Package selinux-policy-3.10.0-64.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-64.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16698/selinux-policy-3.10.0-64.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-64.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.