Description of problem: zabbix can be used to monitor ftp urls. When I do so in enforcing it fails. In permissive I see: type=AVC msg=audit(1327426284.483:836): avc: denied { name_connect } for pid=8670 comm="zabbix_server_m" dest=21 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1327426284.521:837): avc: denied { name_connect } for pid=8670 comm="zabbix_server_m" dest=8161 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1327426344.992:843): avc: denied { name_connect } for pid=8670 comm="zabbix_server_m" dest=58480 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1327426404.357:867): avc: denied { name_connect } for pid=8670 comm="zabbix_server_m" dest=21 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1327426404.389:868): avc: denied { name_connect } for pid=8670 comm="zabbix_server_m" dest=53568 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1327426464.769:874): avc: denied { name_connect } for pid=8670 comm="zabbix_server_m" dest=22522 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1327426524.199:880): avc: denied { name_connect } for pid=8670 comm="zabbix_server_m" dest=60616 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket Version-Release number of selected component (if applicable): selinux-policy-3.10.0-72.fc16.noarch
We will need a boolean for this. But do you know which component of zabbix needs this access?
It's the server process that makes the connections if that's what you mean.
I see from AVC comm="zabbix_server_m"
/usr/sbin/zabbix_server_mysql
A boolean seems like a good idea.
selinux-policy-3.10.0-74.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-74.fc16
Package selinux-policy-3.10.0-74.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-74.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0983/selinux-policy-3.10.0-74.fc16 then log in and leave karma (feedback).
With selinux-policy-3.10.0-74.fc16 and zabbix_can_network=on I'm still seeing: type=AVC msg=audit(1327939960.125:306): avc: denied { name_connect } for pid=1232 comm="zabbix_server_m" dest=21 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket
Ah, you are right. I missed type=AVC msg=audit(1327426404.357:867): avc: denied { name_connect } for pid=8670 comm="zabbix_server_m" dest=21 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket
selinux-policy-3.10.0-74.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Fixed in selinux-policy-3.10.0-75.fc16
selinux-policy-3.10.0-75.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-75.fc16
Package selinux-policy-3.10.0-75.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-75.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-1133/selinux-policy-3.10.0-75.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-75.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.