Bug 1349998
Summary: | SELinux is preventing zabbix_agentd from using the 'setrlimit' accesses on a process. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mike Goodwin <mike> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 24 | CC: | alexandre, alwin.laureijs, dominick.grift, dwalsh, erik, error, lvrabec, mgrepl, pasik, plautrba, richard.berg, volker27 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:a659efab1356903ddfbc89efb79f62872e2cf17af44db04f17c4c6ff037c11c1; | ||
Fixed In Version: | selinux-policy-3.13.1-191.24.fc24 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-02-02 20:50:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mike Goodwin
2016-06-24 18:45:04 UTC
*** Bug 1351771 has been marked as a duplicate of this bug. *** Is there any additional information I can provide to help fix this bug? Zabbix agent just doesn't run on F24, effectively blocking anyone who is monitoring their machines with Zabbix from upgrading to F24. F23 is the last version that still worked. By the way, I just upgraded from zabbix 3.0.1-0 to 3.0.4-1: [DRPM] zabbix-3.0.1-0.fc24_3.0.4-1.fc24.x86_64.drpm: klaar However it still doesn't work. It puzzles me that the packages is apparently maintained but non-functional on F24 with default settings. The latest selinux-policy-targeted also doesn't fix this. selinux-policy-targeted-3.13.1-191.12.fc24.noarch (In reply to Erik Logtenberg from comment #3) > By the way, I just upgraded from zabbix 3.0.1-0 to 3.0.4-1: > > [DRPM] zabbix-3.0.1-0.fc24_3.0.4-1.fc24.x86_64.drpm: klaar > > However it still doesn't work. It puzzles me that the packages is apparently > maintained but non-functional on F24 with default settings. This is less surprising than you think. First off, as a package maintainer you don't usually control the policy. I don't have the capacity to test the policy on every given release. Feel free to contribute to it! Could somebody test with following local module? $ cat zabbix_setrlimit.cil (allow zabbix_agent_t self(process (setrlimit))) # semodule -i zabbix_setrlimit.cil and try to start zabbix. Thanks. Yes, this works great! The issue is also in F25 now. I think this fix never actually made it into the selinux-policy package. @Lucas, could you please include this fix? It works very well. Thanks! selinux-policy-3.13.1-191.24.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |