Bug 1393332
| Summary: | unable to start zabbix agent after upgrade to RHEL 7.3 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Zdenek Pytela <zpytela> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.3 | CC: | alwin.laureijs, baitken, desintegr, ewu, fabian.arrotin, gfdsa, iav, jkhradil, khamil8686, lvrabec, mdavis, mgrepl, mmalik, mueller, pasik, pgacek, plautrba, pvrabec, redhat, robin.bjorklin, ssekidde | |
| Target Milestone: | rc | Keywords: | Regression | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1425309 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 15:17:42 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1393066, 1420851 | |||
*** Bug 1398721 has been marked as a duplicate of this bug. *** I'm also seeing this bug. Seems to be the same as described in: https://bugzilla.redhat.com/show_bug.cgi?id=1323518 https://bugzilla.redhat.com/show_bug.cgi?id=1349998 *** Bug 1415323 has been marked as a duplicate of this bug. *** why is this sill in VERIFIED state? Reading https://fedoraproject.org/wiki/BugZappers/BugStatusWorkFlow#VERIFIED i would expect that the update should have been released? This is a RHEL bug, RHEL workflow is different from Fedora. selinux-policy packages which contain the fix will be available as soon as RHEL-7.4 goes out. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 Customer is hitting a problem with this:
"..it seems there is one additional rule that is still missing in latest selinux-policy with RHEL74:
Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc: denied { dac_override } for pid=27275 comm="zabbix_agentd" capability=1 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc: denied { dac_read_search } for pid=27275 comm="zabbix_agentd" capability=2 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 zabbix_agentd[27275]: zabbix_agentd [27275]: cannot open config file "/etc/zabbix/zabbix_agentd.conf": [13] Permission denied
We would need redhat to add the following rule into future selinux-policy:
allow zabbix_agent_t zabbix_agent_t : capability { dac_override dac_read_search } ;"
Do you want me to open a new bug for this? Or should this be appended to this one?
Thanks!
(In reply to Blair Aitken from comment #10) > > Do you want me to open a new bug for this? Or should this be appended to > this one? > > Thanks! Blair, Open a new BZ and attach the raw audit logs. |
Description of problem: After update to RHEL 7.3, zabbix stopped working. The zabbix agent is not able to run setrlimit syscall as it is denied by selinux policy. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-102.el7.noarch zabbix-agent-3.2.1-1.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Update to RHEL 7.3 2. Start the zabbix-agent service Actual results: Service start failed. $ ausearch -i -m avc -if var/log/audit/audit.log | head -n 4 ---- type=SYSCALL msg=audit(11/07/16 00:30:26.452:96350) : arch=x86_64 syscall=setrlimit success=no exit=-13(Permission denied) a0=RLIMIT_CORE a1=0x7ffe3e023a10 a2=0x0 a3=0x7ffe3e023790 items=0 ppid=1 pid=21822 auid=unset uid=openvpn gid=chrony euid=openvpn suid=openvpn fsuid=openvpn egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=AVC msg=audit(11/07/16 00:30:26.452:96350) : avc: denied { setrlimit } for pid=21822 comm=zabbix_agentd context=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process ---- Expected results: <no avc found> Additional info: Worked in RHEL up to 7.2. See also some difference in policy: rhel 7.2: # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A Found 1 semantic av rules: allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getsession setpgid getcap getattr setrlimit } ; rhel 7.3: # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A Found 1 semantic av rules: allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap } ;