Bug 1323518 - Zabbix agent fails to start due to being unable to disable coredumps
Summary: Zabbix agent fails to start due to being unable to disable coredumps
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-03 21:29 UTC by Michael Hampton
Modified: 2017-01-11 10:41 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.13.1-225.6.fc25
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-11 07:25:14 UTC
Type: Bug


Attachments (Terms of Use)

Description Michael Hampton 2016-04-03 21:29:31 UTC
Description of problem:
The Zabbix agent starts then immediately exits. The following is logged in zabbix_agentd.log:

  5234:20160403:211527.211 cannot set resource limit: [13] Permission denied
  5234:20160403:211527.211 cannot disable core dump, exiting...

Version-Release number of selected component (if applicable):
zabbix-agent-3.0.1-0.fc24.x86_64

How reproducible:
Always, when SELinux is enforcing

Steps to Reproduce:
1. setenforce 1
2. dnf install zabbix-agent
3. systemctl start zabbix-agent

Actual results:
Fails to start as shown above.

Expected results:
Start successfully.

Additional info:
Bug has been reported upstream: https://support.zabbix.com/browse/ZBX-10086

Upstream claims fixed in svn r58988, pre-3.0.2

This can be worked around by making the SELinux domain permissive:
semanage permissive -a zabbix_agent_t
(which may be undone with -d when the issue is fixed)

Comment 1 Orion Poplawski 2016-12-07 15:47:19 UTC
Hmm, I'm still seeing this with zabbix-3.0.5-1.fc25.x86_64

Comment 2 Orion Poplawski 2016-12-07 15:52:55 UTC
Can we get selinux to allow this?

/var/log/audit/audit.log:type=AVC msg=audit(1481094156.042:159): avc:  denied  { setrlimit } for  pid=19928 comm="zabbix_agentd" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process permissive=0

Comment 3 Robin 2017-01-03 10:11:26 UTC
This issue is still present on Fedora 25 with zabbix-agent-3.0.7-1.fc25.x86_64.


To trigger this just restart the zabbix-agent and then have a look at the denial, like this:
# systemctl restart zabbix-agent
# ausearch -m avc,user_avc,selinux_err -ts recent | audit2allow -w
type=AVC msg=audit(1483437841.806:230): avc:  denied  { setrlimit } for  pid=1971 comm="zabbix_agentd" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process permissive=0

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

You can workaround this by allowing zabbix-agent the `setrlimit` selinux permission http://selinuxproject.org/page/ObjectClassesPerms#process.

This series of commands should resolve it:
# systemctl restart zabbix-agent
# ausearch -m avc,user_avc,selinux_err -ts recent | audit2allow -v -M local-zabbix-agent
# semodule -i local-zabbix-agent.pp

Comment 4 Lukas Vrabec 2017-01-08 21:24:16 UTC
$ sesearch -A -s zabbix_agent_t  -c process -p setrlimit
Found 1 semantic av rules:
   allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap setrlimit } ; 


Issue fixed in the latest selinux-policy build.

Comment 5 Fedora Update System 2017-01-09 16:29:25 UTC
selinux-policy-3.13.1-225.6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a

Comment 6 Fedora Update System 2017-01-10 03:27:04 UTC
selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a

Comment 7 Fedora Update System 2017-01-11 07:25:14 UTC
selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.