Bug 1393332
Summary: | unable to start zabbix agent after upgrade to RHEL 7.3 | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Zdenek Pytela <zpytela> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.3 | CC: | alwin.laureijs, baitken, desintegr, ewu, fabian.arrotin, gfdsa, iav, jkhradil, khamil8686, lvrabec, mdavis, mgrepl, mmalik, mueller, pasik, pgacek, plautrba, pvrabec, redhat, robin.bjorklin, ssekidde | |
Target Milestone: | rc | Keywords: | Regression | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1425309 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 15:17:42 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1393066, 1420851 |
Description
Zdenek Pytela
2016-11-09 10:54:00 UTC
*** Bug 1398721 has been marked as a duplicate of this bug. *** I'm also seeing this bug. Seems to be the same as described in: https://bugzilla.redhat.com/show_bug.cgi?id=1323518 https://bugzilla.redhat.com/show_bug.cgi?id=1349998 *** Bug 1415323 has been marked as a duplicate of this bug. *** why is this sill in VERIFIED state? Reading https://fedoraproject.org/wiki/BugZappers/BugStatusWorkFlow#VERIFIED i would expect that the update should have been released? This is a RHEL bug, RHEL workflow is different from Fedora. selinux-policy packages which contain the fix will be available as soon as RHEL-7.4 goes out. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 Customer is hitting a problem with this: "..it seems there is one additional rule that is still missing in latest selinux-policy with RHEL74: Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc: denied { dac_override } for pid=27275 comm="zabbix_agentd" capability=1 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc: denied { dac_read_search } for pid=27275 comm="zabbix_agentd" capability=2 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability Aug 08 10:22:00 ld-dbn-cddkr001 zabbix_agentd[27275]: zabbix_agentd [27275]: cannot open config file "/etc/zabbix/zabbix_agentd.conf": [13] Permission denied We would need redhat to add the following rule into future selinux-policy: allow zabbix_agent_t zabbix_agent_t : capability { dac_override dac_read_search } ;" Do you want me to open a new bug for this? Or should this be appended to this one? Thanks! (In reply to Blair Aitken from comment #10) > > Do you want me to open a new bug for this? Or should this be appended to > this one? > > Thanks! Blair, Open a new BZ and attach the raw audit logs. |