Bug 1349998

Summary: SELinux is preventing zabbix_agentd from using the 'setrlimit' accesses on a process.
Product: [Fedora] Fedora Reporter: Mike Goodwin <mike>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 24CC: alexandre, alwin.laureijs, dominick.grift, dwalsh, erik, error, lvrabec, mgrepl, pasik, plautrba, richard.berg, volker27
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:a659efab1356903ddfbc89efb79f62872e2cf17af44db04f17c4c6ff037c11c1;
Fixed In Version: selinux-policy-3.13.1-191.24.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-02 20:50:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike Goodwin 2016-06-24 18:45:04 UTC
Description of problem:
After upgrading to F24 from F23 and trying to start the zabbix-agent service
SELinux is preventing zabbix_agentd from using the 'setrlimit' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that zabbix_agentd should be allowed setrlimit access on processes labeled zabbix_agent_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'zabbix_agentd' --raw | audit2allow -M my-zabbixagentd
# semodule -X 300 -i my-zabbixagentd.pp

Additional Information:
Source Context                system_u:system_r:zabbix_agent_t:s0
Target Context                system_u:system_r:zabbix_agent_t:s0
Target Objects                Unknown [ process ]
Source                        zabbix_agentd
Source Path                   zabbix_agentd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-190.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.5.7-300.fc24.x86_64 #1 SMP Wed
                              Jun 8 18:12:45 UTC 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2016-06-24 13:15:01 EDT
Last Seen                     2016-06-24 14:43:57 EDT
Local ID                      ca5c45ee-acf2-47df-9254-99e65b807020

Raw Audit Messages
type=AVC msg=audit(1466793837.663:1360): avc:  denied  { setrlimit } for  pid=15770 comm="zabbix_agentd" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process permissive=0


Hash: zabbix_agentd,zabbix_agent_t,zabbix_agent_t,process,setrlimit

Version-Release number of selected component:
selinux-policy-3.13.1-190.fc24.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.5.7-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 1 Erik Logtenberg 2016-08-20 16:02:04 UTC
*** Bug 1351771 has been marked as a duplicate of this bug. ***

Comment 2 Erik Logtenberg 2016-08-20 16:03:36 UTC
Is there any additional information I can provide to help fix this bug?

Zabbix agent just doesn't run on F24, effectively blocking anyone who is monitoring their machines with Zabbix from upgrading to F24. F23 is the last version that still worked.

Comment 3 Erik Logtenberg 2016-08-20 16:06:06 UTC
By the way, I just upgraded from zabbix 3.0.1-0 to 3.0.4-1:

[DRPM] zabbix-3.0.1-0.fc24_3.0.4-1.fc24.x86_64.drpm: klaar

However it still doesn't work. It puzzles me that the packages is apparently maintained but non-functional on F24 with default settings.

Comment 4 Erik Logtenberg 2016-08-23 20:59:56 UTC
The latest selinux-policy-targeted also doesn't fix this.
selinux-policy-targeted-3.13.1-191.12.fc24.noarch

Comment 5 Volker Fröhlich 2016-08-29 21:28:19 UTC
(In reply to Erik Logtenberg from comment #3)
> By the way, I just upgraded from zabbix 3.0.1-0 to 3.0.4-1:
> 
> [DRPM] zabbix-3.0.1-0.fc24_3.0.4-1.fc24.x86_64.drpm: klaar
> 
> However it still doesn't work. It puzzles me that the packages is apparently
> maintained but non-functional on F24 with default settings.

This is less surprising than you think. First off, as a package maintainer you don't usually control the policy. I don't have the capacity to test the policy on every given release. Feel free to contribute to it!

Comment 6 Lukas Vrabec 2016-09-18 16:06:07 UTC
Could somebody test with following local module? 

$ cat zabbix_setrlimit.cil 
(allow zabbix_agent_t self(process (setrlimit)))
# semodule -i zabbix_setrlimit.cil

and try to start zabbix. 

Thanks.

Comment 7 Erik Logtenberg 2016-09-18 17:52:35 UTC
Yes, this works great!

Comment 8 Erik Logtenberg 2016-12-12 19:21:41 UTC
The issue is also in F25 now. I think this fix never actually made it into the selinux-policy package. @Lucas, could you please include this fix? It works very well.
Thanks!

Comment 9 Fedora Update System 2017-01-09 14:02:42 UTC
selinux-policy-3.13.1-191.24.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe

Comment 10 Fedora Update System 2017-01-10 03:23:21 UTC
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe

Comment 11 Fedora Update System 2017-02-02 20:50:30 UTC
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.