Bug 1425309

Summary: Unable to start zabbix-proxy after upgrade to RHEL 7.3 due to selinux
Product: Red Hat Enterprise Linux 7 Reporter: Robin <robin.bjorklin>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: alwin.laureijs, desintegr, ewu, fabian.arrotin, jkhradil, khamil8686, lvrabec, mdavis, mgrepl, mmalik, pasik, plautrba, pvrabec, redhat, robin.bjorklin, ssekidde, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1393332 Environment:
Last Closed: 2017-10-12 12:18:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420851    

Description Robin 2017-02-21 07:33:24 UTC 
+++ This bug was initially created as a clone of Bug #1393332 +++

Description of problem:
After update to RHEL 7.3, zabbix-proxy stopped working. Zabbix-proxy is not able to run setrlimit syscall as it is denied by selinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7.noarch
zabbix-proxy-sqlite3-3.2.3-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Update to RHEL 7.3
2. Start the zabbix-proxy service

Actual results:
Service start failed.

Expected results:
<no avc found>
Comment 1 Milos Malik 2017-02-21 08:09:31 UTC 
We would like to see SELinux denials in raw form. Please, attach the output of following command:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
Comment 3 Robin 2017-03-13 15:46:58 UTC 
Sorry about the delay.

$ sudo ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
----
type=USER_AVC msg=audit(03/13/2017 14:15:00.933:882) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=SYSCALL msg=audit(03/13/2017 15:45:33.157:1063) : arch=x86_64 syscall=setrlimit success=yes exit=0 a0=RLIMIT_CORE a1=0x7ffe127272b0 a2=0x0 a3=0x8 items=0 ppid=1 pid=15769 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(03/13/2017 15:45:33.157:1063) : avc:  denied  { setrlimit } for  pid=15769 comm=zabbix_proxy scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process
----
type=USER_AVC msg=audit(03/13/2017 15:45:56.816:1087) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=SYSCALL msg=audit(03/13/2017 15:45:56.829:1088) : arch=x86_64 syscall=setrlimit success=no exit=EACCES(Permission denied) a0=RLIMIT_CORE a1=0x7ffe58d07d70 a2=0x0 a3=0x8 items=0 ppid=1 pid=15797 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(03/13/2017 15:45:56.829:1088) : avc:  denied  { setrlimit } for  pid=15797 comm=zabbix_proxy scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process
----
type=SYSCALL msg=audit(03/13/2017 15:46:07.094:1094) : arch=x86_64 syscall=setrlimit success=no exit=EACCES(Permission denied) a0=RLIMIT_CORE a1=0x7ffc26a42cc0 a2=0x0 a3=0x8 items=0 ppid=1 pid=15801 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(03/13/2017 15:46:07.094:1094) : avc:  denied  { setrlimit } for  pid=15801 comm=zabbix_proxy scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process
----
type=SYSCALL msg=audit(03/13/2017 15:46:17.342:1099) : arch=x86_64 syscall=setrlimit success=no exit=EACCES(Permission denied) a0=RLIMIT_CORE a1=0x7ffc65ac12d0 a2=0x0 a3=0x8 items=0 ppid=1 pid=15806 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(03/13/2017 15:46:17.342:1099) : avc:  denied  { setrlimit } for  pid=15806 comm=zabbix_proxy scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process
----
type=SYSCALL msg=audit(03/13/2017 15:46:27.593:1109) : arch=x86_64 syscall=setrlimit success=no exit=EACCES(Permission denied) a0=RLIMIT_CORE a1=0x7ffc3dc2ed10 a2=0x0 a3=0x8 items=0 ppid=1 pid=15875 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(03/13/2017 15:46:27.593:1109) : avc:  denied  { setrlimit } for  pid=15875 comm=zabbix_proxy scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process
Comment 5 Lukas Vrabec 2017-10-12 12:18:03 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 6 Lukas Vrabec 2017-10-12 12:21:16 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.