Bug 1393332

Summary:	unable to start zabbix agent after upgrade to RHEL 7.3
Product:	Red Hat Enterprise Linux 7	Reporter:	Zdenek Pytela <zpytela>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.3	CC:	alwin.laureijs, baitken, desintegr, ewu, fabian.arrotin, gfdsa, iav, jkhradil, khamil8686, lvrabec, mdavis, mgrepl, mmalik, mueller, pasik, pgacek, plautrba, pvrabec, redhat, robin.bjorklin, ssekidde
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1425309 (view as bug list)		Environment:
Last Closed:	2017-08-01 15:17:42 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:
Bug Blocks:	1393066, 1420851

Description Zdenek Pytela 2016-11-09 10:54:00 UTC

Description of problem:
After update to RHEL 7.3, zabbix stopped working. The zabbix agent is not able to run setrlimit syscall as it is denied by selinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7.noarch
zabbix-agent-3.2.1-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Update to RHEL 7.3
2. Start the zabbix-agent service

Actual results:
Service start failed.
$ ausearch -i -m avc -if var/log/audit/audit.log | head -n 4
    ----
    type=SYSCALL msg=audit(11/07/16 00:30:26.452:96350) : arch=x86_64 syscall=setrlimit success=no exit=-13(Permission denied) a0=RLIMIT_CORE a1=0x7ffe3e023a10 a2=0x0 a3=0x7ffe3e023790 items=0 ppid=1 pid=21822 auid=unset uid=openvpn gid=chrony euid=openvpn suid=openvpn fsuid=openvpn egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
    type=AVC msg=audit(11/07/16 00:30:26.452:96350) : avc:  denied  { setrlimit } for  pid=21822 comm=zabbix_agentd context=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process
    ----

Expected results:
<no avc found>

Additional info:
Worked in RHEL up to 7.2. See also some difference in policy:

rhel 7.2:
    # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A
    Found 1 semantic av rules:
       allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getsession setpgid getcap getattr setrlimit } ;
     
rhel 7.3:
    # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A
    Found 1 semantic av rules:
       allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap } ;

Comment 2 Lukas Vrabec 2016-11-28 09:24:04 UTC

*** Bug 1398721 has been marked as a duplicate of this bug. ***

Comment 3 Robin 2017-01-11 08:47:47 UTC

I'm also seeing this bug. Seems to be the same as described in:

https://bugzilla.redhat.com/show_bug.cgi?id=1323518
https://bugzilla.redhat.com/show_bug.cgi?id=1349998

Comment 4 Lukas Vrabec 2017-02-01 13:54:21 UTC

*** Bug 1415323 has been marked as a duplicate of this bug. ***

Comment 7 Thomas Mueller 2017-05-26 07:09:53 UTC

why is this sill in VERIFIED state? 

Reading https://fedoraproject.org/wiki/BugZappers/BugStatusWorkFlow#VERIFIED i would expect that the update should have been released?

Comment 8 Milos Malik 2017-05-26 07:37:19 UTC

This is a RHEL bug, RHEL workflow is different from Fedora. selinux-policy packages which contain the fix will be available as soon as RHEL-7.4 goes out.

Comment 9 errata-xmlrpc 2017-08-01 15:17:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Comment 10 Blair Aitken 2017-08-08 16:38:40 UTC

Customer is hitting a problem with this:

"..it seems there is one additional rule that is still missing in latest selinux-policy with RHEL74:

Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc:  denied  { dac_override } for  pid=27275 comm="zabbix_agentd" capability=1  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc:  denied  { dac_read_search } for  pid=27275 comm="zabbix_agentd" capability=2  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 zabbix_agentd[27275]: zabbix_agentd [27275]: cannot open config file "/etc/zabbix/zabbix_agentd.conf": [13] Permission denied

We would need redhat to add the following rule into future selinux-policy:

allow zabbix_agent_t zabbix_agent_t : capability { dac_override dac_read_search } ;"


Do you want me to open a new bug for this? Or should this be appended to this one?

Thanks!

Comment 11 Simon Sekidde 2017-08-10 13:37:31 UTC

(In reply to Blair Aitken from comment #10)
>
> Do you want me to open a new bug for this? Or should this be appended to
> this one?
> 
> Thanks!

Blair, 

Open a new BZ and attach the raw audit logs.