Bug 890554 - SELinux issues with zabbix
SELinux issues with zabbix
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: SELinux
Depends On: 674627
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-27 13:21 EST by Orion Poplawski
Modified: 2013-11-21 05:11 EST (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 674627
Environment:
Last Closed: 2013-11-21 05:11:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2012-12-27 13:21:28 EST
+++ This bug was initially created as a clone of Bug #674627 +++

Description of problem:

Tried to run the ping test tool on a host in zabbix.  Fails with the following selinux denial:

 type=AVC msg=audit(1296640191.942:48649): avc:  denied  { read } for  pid=19367 comm="fping" path="/tmp/zabbix_server_29506.pinger" dev=tmpfs ino=76117788 scontext=unconfined_u:system_r:ping_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file

zabbix context:

unconfined_u:system_r:initrc_t:s0 zabbix 29501 29485  0 Jan27 ?        00:00:08 zabbix_server_mysql

Version-Release number of selected component (if applicable):
zabbix-1.8.4-1.fc14.x86_64
selinux-policy-3.9.7-25.fc14.noarch

How reproducible:
Every time

--- Additional comment from Daniel Walsh on 2011-02-02 13:50:33 EST ---

zabbix should have policy?

Where is the zabbix executable and what label does it have on it?

--- Additional comment from Orion Poplawski on 2011-02-02 13:56:06 EST ---

-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/zabbix_agent
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/zabbix_agentd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/zabbix_server_mysql

I'm guessing it doesn't have any policy at the moment.

--- Additional comment from Dan Horák on 2011-02-02 14:10:27 EST ---

there is a policy in modules/services/zabbix.* in the fedora selinux-policy git

--- Additional comment from Daniel Walsh on 2011-02-02 14:25:03 EST ---

Maybe we have a mismatch on the names.

/usr/bin/zabbix_server  --      gen_context(system_u:object_r:zabbix_exec_t,s0)

Has the server been renamed to zabbix_agentd?

--- Additional comment from Dan Horák on 2011-02-02 15:01:14 EST ---

(In reply to comment #4)
> Maybe we have a mismatch on the names.
> 
> /usr/bin/zabbix_server  --      gen_context(system_u:object_r:zabbix_exec_t,s0)
> 
> Has the server been renamed to zabbix_agentd?

no, but there are 3 servers (one per DB backend) for quite some time
/usr/sbin/zabbix_server_mysql
/usr/sbin/zabbix_server_pgsql
/usr/sbin/zabbix_server_sqlite3

--- Additional comment from Daniel Walsh on 2011-02-02 15:05:49 EST ---


Added context for 

/usr/sbin/zabbix_server_mysql --
gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_pgsql --
gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_sqlite3 --
gen_context(system_u:object_r:zabbix_exec_t,s0)


The zabbix server should not be using /tmp for files.

--- Additional comment from Daniel Walsh on 2011-02-02 15:06:48 EST ---

If you 

chcon -t zabbix_exec_t  /usr/sbin/zabbix_server_mysql

Does the AVC go away?

--- Additional comment from Orion Poplawski on 2011-02-02 15:24:39 EST ---

(In reply to comment #7)
> If you 
> 
> chcon -t zabbix_exec_t  /usr/sbin/zabbix_server_mysql
> 
> Does the AVC go away?

The server doesn't start.  Perhaps we are getting ahead of policy on F14?

zabbix_server.log:
zabbix_server_mysql [5673]: Unable to set process priority to 5. Leaving default.
zabbix_server_mysql [5673]: Can not create Semaphore [Permission denied]
zabbix_server_mysql [5673]: Unable to create mutex for log file

Nothing in audit.log, even after semodule -DB.

--- Additional comment from Miroslav Grepl on 2011-02-03 05:43:17 EST ---

After quick look it looks like we could go with these labels. But I am interested to look at zabbix more since I think additional changes will be needed in zabbix policy.

Orion,
just try to switch to permissive mode and we will see if this is SELinux issue.

--- Additional comment from Orion Poplawski on 2011-02-03 10:24:42 EST ---

Starts fine (and ping test works) in permissive mode, but I still don't see any messages in audit.log for the startup failure.

--- Additional comment from Kyle Brantley on 2011-06-05 00:51:02 EDT ---

I think my bug (bug #710343) may be relevant. This includes some AVC denials on startup for the setprio() call.

--- Additional comment from Daniel Walsh on 2011-06-06 15:05:48 EDT ---

It looks like we might want to run /usr/sbin/zabbix_server_mysql

If we do not want to give the following to zabbix.

allow zabbix_t self:capability { dac_read_search dac_override };
allow zabbix_t self:process setsched;
allow zabbix_t sysctl_kernel_t:dir search;

--- Additional comment from Daniel Walsh on 2011-06-06 15:09:53 EDT ---

Miroslav I added these rules to Rawhide,  Probably should back port to F14, F15, and RHEL6.  Maybe eventually we break up zabbix into multiple domains, but it already has setuid/setgid, so dac overrides are not adding much access.
Comment 1 Orion Poplawski 2012-12-27 13:26:56 EST
Looks like policy never made it to RHEL6.  Also, testing with zabbix20 from epel and labelling /usr/sbin/zabbix_server_mysql zabbix_exec_t it fails to start.  In permissive mode I see:

type=AVC msg=audit(1356632726.386:2274): avc:  denied  { unix_read unix_write } for  pid=21123 comm="zabbix_server" key=2046953417  scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=sem
type=AVC msg=audit(1356632726.386:2274): avc:  denied  { associate } for  pid=21123 comm="zabbix_server" key=2046953417  scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=sem
type=AVC msg=audit(1356632726.387:2275): avc:  denied  { destroy } for  pid=21123 comm="zabbix_server" key=2046953417  scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=sem
type=AVC msg=audit(1356632726.433:2276): avc:  denied  { unix_read unix_write } for  pid=21123 comm="zabbix_server" key=1744963529  scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=shm
type=AVC msg=audit(1356632726.433:2276): avc:  denied  { associate } for  pid=21123 comm="zabbix_server" key=1744963529  scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=shm
type=AVC msg=audit(1356632726.435:2277): avc:  denied  { destroy } for  pid=21123 comm="zabbix_server" key=1744963529  scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=shm
type=AVC msg=audit(1356632726.436:2278): avc:  denied  { create } for  pid=21123 comm="zabbix_server" key=1744963529  scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=shm
type=AVC msg=audit(1356632726.436:2279): avc:  denied  { unix_read unix_write } for  pid=21123 comm="zabbix_server" key=1744963529  scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=shm
type=AVC msg=audit(1356632726.436:2279): avc:  denied  { read write } for  pid=21123 comm="zabbix_server" key=1744963529  scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=shm
type=AVC msg=audit(1356632726.436:2279): avc:  denied  { read write } for  pid=21123 comm="zabbix_server" path=2F535953563638303230376339202864656C6574656429 dev=tmpfs ino=327681 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1356632726.868:2280): avc:  denied  { create } for  pid=21123 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1356632726.869:2281): avc:  denied  { bind } for  pid=21123 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1356632726.869:2282): avc:  denied  { getattr } for  pid=21123 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1356632726.869:2283): avc:  denied  { nlmsg_read } for  pid=21123 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1356632726.869:2284): avc:  denied  { create } for  pid=21123 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=udp_socket
type=AVC msg=audit(1356632726.869:2285): avc:  denied  { connect } for  pid=21123 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=udp_socket
type=AVC msg=audit(1356632726.869:2286): avc:  denied  { getattr } for  pid=21123 comm="zabbix_server" laddr=::1 lport=51277 faddr=::1 fport=10051 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=udp_socket
type=AVC msg=audit(1356632726.869:2287): avc:  denied  { create } for  pid=21123 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632726.869:2288): avc:  denied  { setopt } for  pid=21123 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632726.869:2289): avc:  denied  { bind } for  pid=21123 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632726.869:2289): avc:  denied  { name_bind } for  pid=21123 comm="zabbix_server" src=10051 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632726.869:2289): avc:  denied  { node_bind } for  pid=21123 comm="zabbix_server" src=10051 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632726.870:2290): avc:  denied  { listen } for  pid=21123 comm="zabbix_server" lport=10051 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632726.920:2291): avc:  denied  { getattr } for  pid=21132 comm="zabbix_server" path="/var/lib/net-snmp" dev=vda2 ino=914535 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1356632726.920:2292): avc:  denied  { getattr } for  pid=21146 comm="zabbix_server" path="/var/lib/net-snmp" dev=vda2 ino=914535 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1356632726.920:2293): avc:  denied  { search } for  pid=21132 comm="zabbix_server" name="net-snmp" dev=vda2 ino=914535 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1356632726.920:2294): avc:  denied  { read } for  pid=21132 comm="zabbix_server" name="urandom" dev=devtmpfs ino=3654 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1356632726.920:2294): avc:  denied  { open } for  pid=21132 comm="zabbix_server" name="urandom" dev=devtmpfs ino=3654 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1356632726.920:2295): avc:  denied  { read } for  pid=21146 comm="zabbix_server" name="urandom" dev=devtmpfs ino=3654 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1356632726.920:2296): avc:  denied  { getattr } for  pid=21132 comm="zabbix_server" path="/dev/urandom" dev=devtmpfs ino=3654 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1356632726.920:2295): avc:  denied  { open } for  pid=21146 comm="zabbix_server" name="urandom" dev=devtmpfs ino=3654 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1356632726.929:2297): avc:  denied  { read } for  pid=21145 comm="zabbix_server" name="resolv.conf" dev=vda2 ino=522254 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1356632726.929:2297): avc:  denied  { open } for  pid=21145 comm="zabbix_server" name="resolv.conf" dev=vda2 ino=522254 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1356632726.929:2298): avc:  denied  { getattr } for  pid=21145 comm="zabbix_server" path="/etc/resolv.conf" dev=vda2 ino=522254 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1356632726.930:2299): avc:  denied  { ioctl } for  pid=21145 comm="zabbix_server" path="socket:[393731]" dev=sockfs ino=393731 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=udp_socket
type=AVC msg=audit(1356632726.930:2300): avc:  denied  { connect } for  pid=21145 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632726.930:2300): avc:  denied  { name_connect } for  pid=21145 comm="zabbix_server" dest=443 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632726.931:2301): avc:  denied  { getopt } for  pid=21145 comm="zabbix_server" laddr=10.10.41.2 lport=41626 faddr=4.28.99.182 fport=443 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632726.931:2302): avc:  denied  { search } for  pid=21145 comm="zabbix_server" name="pki" dev=vda2 ino=522288 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1356632726.931:2302): avc:  denied  { getattr } for  pid=21145 comm="zabbix_server" path="/etc/pki/nssdb" dev=vda2 ino=528100 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1356632726.937:2303): avc:  denied  { read } for  pid=21145 comm="zabbix_server" name="pkcs11.txt" dev=vda2 ino=528115 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1356632726.937:2303): avc:  denied  { open } for  pid=21145 comm="zabbix_server" name="pkcs11.txt" dev=vda2 ino=528115 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1356632726.937:2304): avc:  denied  { getattr } for  pid=21145 comm="zabbix_server" path="/etc/pki/nssdb/pkcs11.txt" dev=vda2 ino=528115 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1356632726.957:2305): avc:  denied  { ioctl } for  pid=21145 comm="zabbix_server" path="/dev/urandom" dev=devtmpfs ino=3654 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1356632726.959:2306): avc:  denied  { read } for  pid=21145 comm="zabbix_server" name="/" dev=tmpfs ino=10201 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1356632727.028:2307): avc:  denied  { lock } for  pid=21145 comm="zabbix_server" path="/etc/pki/nssdb/cert9.db" dev=vda2 ino=528109 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1356632727.052:2308): avc:  denied  { write } for  pid=21145 comm="zabbix_server" name="tmp" dev=vda2 ino=914013 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1356632727.052:2309): avc:  denied  { add_name } for  pid=21145 comm="zabbix_server" name="etilqs_nuzbOn2r7fl9Shm" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1356632727.052:2309): avc:  denied  { create } for  pid=21145 comm="zabbix_server" name="etilqs_nuzbOn2r7fl9Shm" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1356632727.052:2309): avc:  denied  { read write open } for  pid=21145 comm="zabbix_server" name="etilqs_nuzbOn2r7fl9Shm" dev=vda2 ino=915180 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1356632727.053:2310): avc:  denied  { remove_name } for  pid=21145 comm="zabbix_server" name="etilqs_nuzbOn2r7fl9Shm" dev=vda2 ino=915180 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1356632727.053:2310): avc:  denied  { unlink } for  pid=21145 comm="zabbix_server" name="etilqs_nuzbOn2r7fl9Shm" dev=vda2 ino=915180 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1356632727.053:2311): avc:  denied  { getattr } for  pid=21145 comm="zabbix_server" path=2F7661722F746D702F6574696C71735F4D623549594473666D385169444A37202864656C6574656429 dev=vda2 ino=916042 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1356632727.116:2312): avc:  denied  { getattr } for  pid=21145 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632727.118:2313): avc:  denied  { read } for  pid=21126 comm="zabbix_server" name="meminfo" dev=proc ino=4026532031 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1356632727.118:2313): avc:  denied  { open } for  pid=21126 comm="zabbix_server" name="meminfo" dev=proc ino=4026532031 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1356632727.119:2314): avc:  denied  { getattr } for  pid=21126 comm="zabbix_server" path="/proc/meminfo" dev=proc ino=4026532031 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1356632727.280:2315): avc:  denied  { name_connect } for  pid=21145 comm="zabbix_server" dest=21 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632727.301:2316): avc:  denied  { name_connect } for  pid=21145 comm="zabbix_server" dest=17625 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632727.464:2317): avc:  denied  { getopt } for  pid=21146 comm="zabbix_server" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=udp_socket
type=AVC msg=audit(1356632732.933:2318): avc:  denied  { accept } for  pid=21140 comm="zabbix_server" lport=10051 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632732.933:2319): avc:  denied  { shutdown } for  pid=21140 comm="zabbix_server" laddr=::1 lport=10051 faddr=::1 fport=51424 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632733.470:2320): avc:  denied  { execute } for  pid=21146 comm="zabbix_server" name="fping" dev=vda2 ino=264074 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file
type=AVC msg=audit(1356632733.471:2321): avc:  denied  { read } for  pid=21181 comm="zabbix_server" name="sh" dev=vda2 ino=652807 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
type=AVC msg=audit(1356632733.471:2321): avc:  denied  { execute } for  pid=21181 comm="zabbix_server" name="bash" dev=vda2 ino=661171 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1356632733.471:2321): avc:  denied  { read open } for  pid=21181 comm="zabbix_server" name="bash" dev=vda2 ino=661171 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1356632733.471:2321): avc:  denied  { execute_no_trans } for  pid=21181 comm="zabbix_server" path="/bin/bash" dev=vda2 ino=661171 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1356632733.473:2322): avc:  denied  { getattr } for  pid=21181 comm="sh" path="/bin/bash" dev=vda2 ino=661171 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1356632733.474:2323): avc:  denied  { read open } for  pid=21182 comm="sh" name="fping" dev=vda2 ino=264074 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file
type=AVC msg=audit(1356632733.474:2323): avc:  denied  { execute_no_trans } for  pid=21182 comm="sh" path="/usr/sbin/fping" dev=vda2 ino=264074 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file
type=AVC msg=audit(1356632733.475:2324): avc:  denied  { create } for  pid=21182 comm="fping" scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=rawip_socket
type=AVC msg=audit(1356632733.475:2324): avc:  denied  { net_raw } for  pid=21182 comm="fping" capability=13  scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=capability
type=AVC msg=audit(1356632734.708:2325): avc:  denied  { setopt } for  pid=21189 comm="fping6" lport=58 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:system_r:zabbix_t:s0 tclass=rawip_socket
type=AVC msg=audit(1356632737.682:2326): avc:  denied  { name_connect } for  pid=21133 comm="zabbix_server" dest=10050 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1356632741.898:2327): avc:  denied  { read } for  pid=21149 comm="zabbix_server" name="meminfo" dev=proc ino=4026532031 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1356632741.898:2327): avc:  denied  { open } for  pid=21149 comm="zabbix_server" name="meminfo" dev=proc ino=4026532031 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1356632741.898:2328): avc:  denied  { getattr } for  pid=21149 comm="zabbix_server" path="/proc/meminfo" dev=proc ino=4026532031 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Comment 2 Orion Poplawski 2012-12-27 13:27:16 EST
selinux-policy-3.7.19-189.el6.noarch
Comment 4 Miroslav Grepl 2012-12-27 14:45:23 EST
Yes, it looks like the zabbix policy is old in RHEL6.4.
Comment 6 Orion Poplawski 2013-08-07 16:11:27 EDT
Hmm, I still don't see the binaries getting labelled:

# rpm -q selinux-policy
selinux-policy-3.7.19-210.el6.noarch
# restorecon -r -v /usr/sbin
# ls -lZ /usr/sbin/zabbix*
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/zabbix_agent
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/zabbix_agentd
lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0   /usr/sbin/zabbix_server -> /etc/alternatives/zabbix-server
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/zabbix_server_mysql

And I get lots of denials still if I label /usr/sbin/zabbix_server_mysql as zabbix_exec_t.

Also as a heads up with regards to the original /tmp write issue - the zabbix maintainer is planning to move to use /var/lib/zabbixsrv/tmp to store the files instead of /tmp in EL6 (and /run/zabbixsrv or similar in Fedora).  So perhaps that will help as well.
Comment 8 Miroslav Grepl 2013-08-08 01:58:21 EDT
Ok, this is a bug. We have it only for /usr/bin. I am fixing it.
Comment 9 Orion Poplawski 2013-08-09 13:03:11 EDT
With -211 the only denials I am seeing are:

type=AVC msg=audit(1376067071.555:227962): avc:  denied  { name_connect } for  pid=7648 comm="zabbix_server" dest=10050 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_agent_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1376067088.272:227963): avc:  denied  { name_connect } for  pid=7668 comm="zabbix_server" dest=56613 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1376067148.556:227969): avc:  denied  { name_connect } for  pid=7668 comm="zabbix_server" dest=50935 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
  
The first looks like trying to connect to an agent (perhaps local?).  This definitely needs to be allowed.

The next are from doing some ftp tests with passive mode transfers.  Perhaps a boolean for this as the port range is pretty random.
Comment 10 Orion Poplawski 2013-08-09 13:10:22 EDT
Okay, just turned on the zabbix_can_network boolean (should look before asking I guess).  However, you might want to allow connections to 10050 even with that off, as zabbix is pretty limited without being able to connect to the agents.
Comment 11 Daniel Walsh 2013-08-12 10:32:11 EDT
zabbix_agent_port_t 10050 is defined in Fedora
Comment 12 Orion Poplawski 2013-08-22 16:55:35 EDT
Now with -211 and zabbix_agentd running in zabbix_agent_t instead of initrc_t I'm see lots of denials for the agent trying to monitor items.  e.g:

type=AVC msg=audit(1377204820.375:5589910): avc:  denied  { read } for  pid=10482 comm="sh" name="locale.alias" dev=dm-0 ino=3339 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
type=AVC msg=audit(1377204820.377:5589912): avc:  denied  { read } for  pid=10484 comm="wc" name="locale.alias" dev=dm-0 ino=3339 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
type=AVC msg=audit(1377204820.378:5589916): avc:  denied  { read } for  pid=10483 comm="who" name="localtime" dev=dm-0 ino=260185 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
type=AVC msg=audit(1377204349.604:5566447): avc:  denied  { getattr } for  pid=13856 comm="zabbix_agentd" path="/proc/27783/cmdline" dev=proc ino=88223745 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=unconfined_u:system_r:krb5kdc_t:s0 tclass=file
type=AVC msg=audit(1377204349.604:5566448): avc:  denied  { getattr } for  pid=13856 comm="zabbix_agentd" path="/proc/27799/cmdline" dev=proc ino=88223746 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=unconfined_u:system_r:kadmind_t:s0 tclass=file
type=AVC msg=audit(1377204349.604:5566449): avc:  denied  { getattr } for  pid=13856 comm="zabbix_agentd" path="/proc/28272/cmdline" dev=proc ino=88223747 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=unconfined_u:system_r:dhcpd_t:s0 tclass=file
type=AVC msg=audit(1377204349.604:5566450): avc:  denied  { getattr } for  pid=13856 comm="zabbix_agentd" path="/proc/31316/cmdline" dev=proc ino=88827135 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1377204349.604:5566452): avc:  denied  { getattr } for  pid=13856 comm="zabbix_agentd" path="/proc/32458/cmdline" dev=proc ino=88223748 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1377204358.186:5566453): avc:  denied  { read } for  pid=13858 comm="zabbix_agentd" name="dev" dev=proc ino=4026531979 scontext=unconfined_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


It seems like in general zabbix_agent_t will need read access to almost everything.
Comment 13 Milos Malik 2013-08-26 05:50:14 EDT
# rpm -qa selinux-policy\*
selinux-policy-targeted-3.7.19-212.el6.noarch
selinux-policy-3.7.19-212.el6.noarch
selinux-policy-mls-3.7.19-212.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# ps -efZ | grep zabbix
unconfined_u:system_r:zabbix_t:s0 zabbix  2101     1  0 05:40 ?        00:00:00 zabbix_server_mysql
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 2114 1  0 05:40 ?       00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 2116 2114  0 05:40 ?    00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 2117 2114  0 05:40 ?    00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 2118 2114  0 05:40 ?    00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 2119 2114  0 05:40 ?    00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 2120 2114  0 05:40 ?    00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:initrc_t:s0 zabbix  2132     1  0 05:40 ?        00:00:00 zabbix_proxy_mysql
#

Could we confine zabbix-proxy too?
Comment 14 Miroslav Grepl 2013-08-29 02:55:17 EDT
We don't have it in Fedora. Could you try to execute

#chcon -t zabbix_exec_t `which zabbix_proxy_mysql`
Comment 15 Milos Malik 2013-09-17 05:55:09 EDT
# ls -Z /usr/sbin/zabbix_proxy_mysql 
-rwxr-xr-x. root root system_u:object_r:zabbix_exec_t:s0 /usr/sbin/zabbix_proxy_mysql
# service zabbix-proxy status
zabbix_proxy_mysql is stopped
# service zabbix-proxy start
Starting ZABBIX proxy: [  OK  ]
# service zabbix-proxy status
zabbix_proxy_mysql (pid 26582) is running...
# ps -efZ | grep zabbix
unconfined_u:system_r:zabbix_t:s0 zabbix 26217     1  0 05:44 ?        00:00:00 zabbix_server_mysql
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 26266 1  0 05:44 ?      00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 26268 26266  0 05:44 ?  00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 26269 26266  0 05:44 ?  00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 26270 26266  0 05:44 ?  00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 26271 26266  0 05:44 ?  00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:zabbix_agent_t:s0 zabbix 26272 26266  0 05:44 ?  00:00:00 /usr/sbin/zabbix_agentd
unconfined_u:system_r:zabbix_t:s0 zabbix 26582     1  0 05:53 ?        00:00:00 zabbix_proxy_mysql
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 26595 6475  0 05:53 pts/0 00:00:00 grep zabbix
#
Comment 17 Milos Malik 2013-10-08 16:13:45 EDT
The /usr/sbin/zabbix_proxy_mysql file is still labeled bin_t, therefore zabbix_proxy_mysql process (zabbix-proxy service) still runs as initrc_t. My suggestion is to devote another bug to this issue.
Comment 19 errata-xmlrpc 2013-11-21 05:11:47 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.