Bug 1425309
Summary: | Unable to start zabbix-proxy after upgrade to RHEL 7.3 due to selinux | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Robin <robin.bjorklin> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.3 | CC: | alwin.laureijs, desintegr, ewu, fabian.arrotin, jkhradil, khamil8686, lvrabec, mdavis, mgrepl, mmalik, pasik, plautrba, pvrabec, redhat, robin.bjorklin, ssekidde, zpytela |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1393332 | Environment: | |
Last Closed: | 2017-10-12 12:18:03 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1420851 |
Description
Robin
2017-02-21 07:33:24 UTC
We would like to see SELinux denials in raw form. Please, attach the output of following command: # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today Sorry about the delay. $ sudo ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today ---- type=USER_AVC msg=audit(03/13/2017 14:15:00.933:882) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=SYSCALL msg=audit(03/13/2017 15:45:33.157:1063) : arch=x86_64 syscall=setrlimit success=yes exit=0 a0=RLIMIT_CORE a1=0x7ffe127272b0 a2=0x0 a3=0x8 items=0 ppid=1 pid=15769 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null) type=AVC msg=audit(03/13/2017 15:45:33.157:1063) : avc: denied { setrlimit } for pid=15769 comm=zabbix_proxy scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process ---- type=USER_AVC msg=audit(03/13/2017 15:45:56.816:1087) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=1) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=SYSCALL msg=audit(03/13/2017 15:45:56.829:1088) : arch=x86_64 syscall=setrlimit success=no exit=EACCES(Permission denied) a0=RLIMIT_CORE a1=0x7ffe58d07d70 a2=0x0 a3=0x8 items=0 ppid=1 pid=15797 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null) type=AVC msg=audit(03/13/2017 15:45:56.829:1088) : avc: denied { setrlimit } for pid=15797 comm=zabbix_proxy scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process ---- type=SYSCALL msg=audit(03/13/2017 15:46:07.094:1094) : arch=x86_64 syscall=setrlimit success=no exit=EACCES(Permission denied) a0=RLIMIT_CORE a1=0x7ffc26a42cc0 a2=0x0 a3=0x8 items=0 ppid=1 pid=15801 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null) type=AVC msg=audit(03/13/2017 15:46:07.094:1094) : avc: denied { setrlimit } for pid=15801 comm=zabbix_proxy scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process ---- type=SYSCALL msg=audit(03/13/2017 15:46:17.342:1099) : arch=x86_64 syscall=setrlimit success=no exit=EACCES(Permission denied) a0=RLIMIT_CORE a1=0x7ffc65ac12d0 a2=0x0 a3=0x8 items=0 ppid=1 pid=15806 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null) type=AVC msg=audit(03/13/2017 15:46:17.342:1099) : avc: denied { setrlimit } for pid=15806 comm=zabbix_proxy scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process ---- type=SYSCALL msg=audit(03/13/2017 15:46:27.593:1109) : arch=x86_64 syscall=setrlimit success=no exit=EACCES(Permission denied) a0=RLIMIT_CORE a1=0x7ffc3dc2ed10 a2=0x0 a3=0x8 items=0 ppid=1 pid=15875 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_proxy exe=/usr/sbin/zabbix_proxy_mysql subj=system_u:system_r:zabbix_t:s0 key=(null) type=AVC msg=audit(03/13/2017 15:46:27.593:1109) : avc: denied { setrlimit } for pid=15875 comm=zabbix_proxy scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. |