LinuxQuestions.org - SELinux preventing httpd run ps -ef for zabbix processes

- Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)

- - SELinux preventing httpd run ps -ef for zabbix processes (https://www.linuxquestions.org/questions/linux-enterprise-47/selinux-preventing-httpd-run-ps-ef-for-zabbix-processes-717199/)

SELinux preventing httpd run ps -ef for zabbix processes

Hi,
I have installed zabbix on a RHEL 5.1 SELinux enforced box.

The zabbix dashboard displays if zabbix server is running or not by running command `ps -ef | grep zabbix_server | grep -v grep | wc -l` and so on.

As per the posts for SELinux I did run audit2allow -M local and semodule -i local.pp however the ps command cannot still be executed. The dashboard still shows a big NO in red.

Following are the audit.log entries:

==> audit/audit.log <==
type=AVC msg=audit(1239028794.618:17907766): avc: denied { getattr } for pid=19793 comm="ps" path="/proc/1" dev=proc ino=65538 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
type=SYSCALL msg=audit(1239028794.618:17907766): arch=40000003 syscall=195 success=no exit=-13 a0=9124214 a1=bfc66c90 a2=429ff4 a3=3 items=0 ppid=19792 pid=19793 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="ps" exe="/bin/ps" subj=user_u:system_r:httpd_t:s0 key=(null)
[truncated]

Pl. help sorting out this issue.

-Niks.

Hmm - have you tried turning SELinux off completely and seeing if the problem persists?

I.e. on my FC6 system, in /etc/selinux/config:

Code:

SELINUX= can take one of these three values:

#      enforcing - SELinux security policy is enforced.

#      permissive - SELinux prints warnings instead of enforcing.

#      disabled - SELinux is fully disabled.

SELINUX=disabled

# SELINUXTYPE= type of policy in use. Possible values are:

#      targeted - Only targeted network daemons are protected.

#      strict - Full SELinux protection.

SELINUXTYPE=targeted

and then a reboot... then retry what you think is being broken by SELinux.

BTW. I think SELinux is way too overcomplicated and neurotic for general use in most non National Security Agency environments, and it imparts so many hurdles to configuring a working server / system that it is just not worth the effort. I find it difficult enough to get a simple web development (LAMP server) set up already, without SELinux inserting even more hurdles and configuration complexities.

Well.... I tend to think in the same direction.
After I saw no reply to the post for some time, I tried disabling SELinux protection for httpd service and voila.... zabbix started showing proper status.

Just used system-config-selinux and disabled the SELinux for httpd.

Thanks for the reply.

Regards,
Niks.

I think you guys are being too nice. IMHO SELinux goes contrary to the very principals on which *nix was built. That is, each prog doing one thing well but users being free to combine them in new and creative ways the original programmers never envisioned. Or to quote someone more eloquent than I: "UNIX was not designed to stop its users from doing stupid things, as that would also stop them from doing clever things." – Doug Gwyn

It's appropriate for a bastion server in the DMZ but it certainly doesn't belong on a workstation product like Fedora.

Why do you use ps -ef? I think it would be better to use "ps -f -p $(pidof xappix_server)". From the audit, it seems to me that selinux balked at ps looking at process 1, which is init and not the xappix_server process you are interested in.

I will also cut and paste the audit info to a file with a unique meaningful name instead of using "local" each time. I haven't used selinux much, but when I played with Fedora 10 on an old laptop, I needed to repeat the process a few times before I could play flash videos in Firefox. After a week, I didn't have any problems with selinux. It takes some time to settle down, but after a while, I even forgot the commands I needed to use because it had been so long since the last alert.