Description of problem: The zabbix web page attempts to connect to localhost:10051 to check the status of the local zabbix server (or perhaps a remote zabbix server). I did: # audit2allow -M zabbix-httpd type=AVC msg=audit(1327077326.512:35474): avc: denied { name_connect } for pid=1120 comm="httpd" dest=10051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zabbix_port_t:s0 tclass=tcp_socket but perhaps a httpd_can_network_connect_zabbix would be useful here? Version-Release number of selected component (if applicable): selinux-policy-3.10.0-71.fc16.noarch
You can allow it using the "httpd_can_network_connect" boolean.
Yeah, but that opens up all ports, right? I saw a httpd_can_network_connect_cobbler boolean and figured a _zabbix one might be useful too. I could see a massive proliferation of variables though.
Ok, we could consider this. Is this a standard setup? I see we have now httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> of
Yeah, this is stock config from Fedora packages.
selinux-policy-3.10.0-74.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-74.fc16
Package selinux-policy-3.10.0-74.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-74.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0983/selinux-policy-3.10.0-74.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-74.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.