On Fri, 2007-03-09 at 23:16 -0500, Brian Clark wrote: > Hi fedora-list, > > I'm fairly new to Fedora, migrating from Fedora Core 1 to 6. My surprise > was SE Linux. fedora-selinux-list is the right list for selinux questions. Also see http://fedoraproject.org/wiki/SELinux/ http://selinux.sourceforge.net/resources.php3 > I've installed Zabbix, and /zabbix/report1.php shows the zabbix server > as not running. But it is running: > > root@pettingzoo:/etc/selinux# pidof zabbix_server > 21727 21726 21724 21723 21722 21720 21718 21716 21714 21713 21710 > > When I reload the aforementioned php page, I notice that the messages > log is spewing this: > > Mar 9 22:49:33 pettingzoo kernel: audit(1173498572.994:1158): avc: > denied { getattr } for pid=22546 comm="ps" name="22539" dev=proc > ino=1477115906 scontext=user_u:system_r:httpd_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=dir > > root@pettingzoo:/etc/selinux# pidof zabbix_agentd > 21964 21963 21962 21961 21960 21958 > > I'm assuming comm="ps" indicates that report1.php is trying to access > /bin/ps to determine if the server is running. Does scontext mean > "source context"? I'll assume tcontext is "target context". Yes. A "ps" process with pid 22546 running in httpd_t tried to access /proc information about a process with pid 22539 running in unconfined_t, and this wasn't allowed by policy. > I've confirmed that report1.php is trying to obtain the status via > get_status() in config.inc.php: > > // server > if( (exec("ps -ef|grep zabbix_server|grep -v grep|wc -l")>0) || > (exec("ps -ax|grep zabbix_server|grep -v grep|wc -l")>0) ) > { > $status["zabbix_server"] = S_YES; > } > else > { > $status["zabbix_server"] = S_NO; > } > > > 1. I think I want to know how I can allow only zabbix's web application > access to /bin/ps (or exec() or anything else it needs) without opening > that up for everything httpd_t. Possible? Requires running the script in a separate process (better) or introducing an apache module that switches security context around the script invocation (weak, but possibly better than nothing). > 2. I'm trying to understand what unconfined_t is. I guess that > zabbix_agentd is httpd_t and that it needs unconfined_t? It sounds like report1.php is running in httpd_t (since it runs in-process in your httpd server) and invoking ps from your description. It tried to access the /proc state of another process that is running in unconfined_t. zabbix_server and zabbix_agentd would likely both be in unconfined_t if they run as daemons (vs. being launched from httpd) and don't have any domain defined. > Is there anything wise I can do to remedy this, so that zabbix functions > as it needs to, without defeating the purposes of SE Linux? Putting the zabbix processes into their own domain, and then only allowing httpd_t to interact with that domain instead of all of unconfined_t would help. -- Stephen Smalley National Security Agency
