Bug 1415323

Summary: Zabbix-agent 3.0.7-1.el7 selinux policy missing TE (Type Enforcement) rule
Product: Red Hat Enterprise Linux 7 Reporter: Kyle Hamilton <khamil8686>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-01 13:54:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit2allow -w -a output none

Description Kyle Hamilton 2017-01-20 21:04:59 UTC 
Created attachment 1243002 [details]
audit2allow -w -a output

Description of problem:
  Cannot start zabbix-agent with selinux enforcing after updating to 3.0.7-1.el7

Version-Release number of selected component (if applicable):
  3.0.7-1.el7

How reproducible:
  Happened on 3 of my servers right after update

Steps to Reproduce:
1. Update to zabbix-agent 3/0/7-1.el7
2. Run systemctl start zabbix-agent

Actual results:
  Service fails to start

Expected results:
  Service starts

Additional info:
  Reporting because this page told me to: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html


##### sudo audit2allow -a #####

#============= logrotate_t ==============
allow logrotate_t init_t:service reload;

#============= named_t ==============

#!!!! This avc can be allowed using the boolean 'named_write_master_zones'
allow named_t named_zone_t:dir write;

#============= systemd_sysctl_t ==============
allow systemd_sysctl_t user_home_t:file read;

#============= unconfined_t ==============
allow unconfined_t init_t:service enable;
allow unconfined_t zabbix_agent_t:file relabelto;

#============= zabbix_agent_t ==============
allow zabbix_agent_t self:process setrlimit;


#####  #####
Comment 2 Milos Malik 2017-01-23 05:51:20 UTC 
#============= zabbix_agent_t ==============
allow zabbix_agent_t self:process setrlimit;

Is already reported in BZ#1393332.
Comment 3 Lukas Vrabec 2017-02-01 13:54:21 UTC 

*** This bug has been marked as a duplicate of bug 1393332 ***