Description of problem: After upgrading to F24 from F23 and trying to start the zabbix-agent service SELinux is preventing zabbix_agentd from using the 'setrlimit' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that zabbix_agentd should be allowed setrlimit access on processes labeled zabbix_agent_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'zabbix_agentd' --raw | audit2allow -M my-zabbixagentd # semodule -X 300 -i my-zabbixagentd.pp Additional Information: Source Context system_u:system_r:zabbix_agent_t:s0 Target Context system_u:system_r:zabbix_agent_t:s0 Target Objects Unknown [ process ] Source zabbix_agentd Source Path zabbix_agentd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-190.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.5.7-300.fc24.x86_64 #1 SMP Wed Jun 8 18:12:45 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-06-24 13:15:01 EDT Last Seen 2016-06-24 14:43:57 EDT Local ID ca5c45ee-acf2-47df-9254-99e65b807020 Raw Audit Messages type=AVC msg=audit(1466793837.663:1360): avc: denied { setrlimit } for pid=15770 comm="zabbix_agentd" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process permissive=0 Hash: zabbix_agentd,zabbix_agent_t,zabbix_agent_t,process,setrlimit Version-Release number of selected component: selinux-policy-3.13.1-190.fc24.noarch Additional info: reporter: libreport-2.7.1 hashmarkername: setroubleshoot kernel: 4.5.7-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport
*** Bug 1351771 has been marked as a duplicate of this bug. ***
Is there any additional information I can provide to help fix this bug? Zabbix agent just doesn't run on F24, effectively blocking anyone who is monitoring their machines with Zabbix from upgrading to F24. F23 is the last version that still worked.
By the way, I just upgraded from zabbix 3.0.1-0 to 3.0.4-1: [DRPM] zabbix-3.0.1-0.fc24_3.0.4-1.fc24.x86_64.drpm: klaar However it still doesn't work. It puzzles me that the packages is apparently maintained but non-functional on F24 with default settings.
The latest selinux-policy-targeted also doesn't fix this. selinux-policy-targeted-3.13.1-191.12.fc24.noarch
(In reply to Erik Logtenberg from comment #3) > By the way, I just upgraded from zabbix 3.0.1-0 to 3.0.4-1: > > [DRPM] zabbix-3.0.1-0.fc24_3.0.4-1.fc24.x86_64.drpm: klaar > > However it still doesn't work. It puzzles me that the packages is apparently > maintained but non-functional on F24 with default settings. This is less surprising than you think. First off, as a package maintainer you don't usually control the policy. I don't have the capacity to test the policy on every given release. Feel free to contribute to it!
Could somebody test with following local module? $ cat zabbix_setrlimit.cil (allow zabbix_agent_t self(process (setrlimit))) # semodule -i zabbix_setrlimit.cil and try to start zabbix. Thanks.
Yes, this works great!
The issue is also in F25 now. I think this fix never actually made it into the selinux-policy package. @Lucas, could you please include this fix? It works very well. Thanks!
selinux-policy-3.13.1-191.24.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.