This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1349998 - SELinux is preventing zabbix_agentd from using the 'setrlimit' accesses on a process.
SELinux is preventing zabbix_agentd from using the 'setrlimit' accesses on a ...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
24
x86_64 Unspecified
high Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:a659efab1356903ddfbc89efb79...
:
: 1351771 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-24 14:45 EDT by Mike Goodwin
Modified: 2017-02-02 15:50 EST (History)
12 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-191.24.fc24
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-02-02 15:50:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike Goodwin 2016-06-24 14:45:04 EDT
Description of problem:
After upgrading to F24 from F23 and trying to start the zabbix-agent service
SELinux is preventing zabbix_agentd from using the 'setrlimit' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that zabbix_agentd should be allowed setrlimit access on processes labeled zabbix_agent_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'zabbix_agentd' --raw | audit2allow -M my-zabbixagentd
# semodule -X 300 -i my-zabbixagentd.pp

Additional Information:
Source Context                system_u:system_r:zabbix_agent_t:s0
Target Context                system_u:system_r:zabbix_agent_t:s0
Target Objects                Unknown [ process ]
Source                        zabbix_agentd
Source Path                   zabbix_agentd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-190.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.5.7-300.fc24.x86_64 #1 SMP Wed
                              Jun 8 18:12:45 UTC 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2016-06-24 13:15:01 EDT
Last Seen                     2016-06-24 14:43:57 EDT
Local ID                      ca5c45ee-acf2-47df-9254-99e65b807020

Raw Audit Messages
type=AVC msg=audit(1466793837.663:1360): avc:  denied  { setrlimit } for  pid=15770 comm="zabbix_agentd" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process permissive=0


Hash: zabbix_agentd,zabbix_agent_t,zabbix_agent_t,process,setrlimit

Version-Release number of selected component:
selinux-policy-3.13.1-190.fc24.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.5.7-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport
Comment 1 Erik Logtenberg 2016-08-20 12:02:04 EDT
*** Bug 1351771 has been marked as a duplicate of this bug. ***
Comment 2 Erik Logtenberg 2016-08-20 12:03:36 EDT
Is there any additional information I can provide to help fix this bug?

Zabbix agent just doesn't run on F24, effectively blocking anyone who is monitoring their machines with Zabbix from upgrading to F24. F23 is the last version that still worked.
Comment 3 Erik Logtenberg 2016-08-20 12:06:06 EDT
By the way, I just upgraded from zabbix 3.0.1-0 to 3.0.4-1:

[DRPM] zabbix-3.0.1-0.fc24_3.0.4-1.fc24.x86_64.drpm: klaar

However it still doesn't work. It puzzles me that the packages is apparently maintained but non-functional on F24 with default settings.
Comment 4 Erik Logtenberg 2016-08-23 16:59:56 EDT
The latest selinux-policy-targeted also doesn't fix this.
selinux-policy-targeted-3.13.1-191.12.fc24.noarch
Comment 5 Volker Fröhlich 2016-08-29 17:28:19 EDT
(In reply to Erik Logtenberg from comment #3)
> By the way, I just upgraded from zabbix 3.0.1-0 to 3.0.4-1:
> 
> [DRPM] zabbix-3.0.1-0.fc24_3.0.4-1.fc24.x86_64.drpm: klaar
> 
> However it still doesn't work. It puzzles me that the packages is apparently
> maintained but non-functional on F24 with default settings.

This is less surprising than you think. First off, as a package maintainer you don't usually control the policy. I don't have the capacity to test the policy on every given release. Feel free to contribute to it!
Comment 6 Lukas Vrabec 2016-09-18 12:06:07 EDT
Could somebody test with following local module? 

$ cat zabbix_setrlimit.cil 
(allow zabbix_agent_t self(process (setrlimit)))
# semodule -i zabbix_setrlimit.cil

and try to start zabbix. 

Thanks.
Comment 7 Erik Logtenberg 2016-09-18 13:52:35 EDT
Yes, this works great!
Comment 8 Erik Logtenberg 2016-12-12 14:21:41 EST
The issue is also in F25 now. I think this fix never actually made it into the selinux-policy package. @Lucas, could you please include this fix? It works very well.
Thanks!
Comment 9 Fedora Update System 2017-01-09 09:02:42 EST
selinux-policy-3.13.1-191.24.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe
Comment 10 Fedora Update System 2017-01-09 22:23:21 EST
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe
Comment 11 Fedora Update System 2017-02-02 15:50:30 EST
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.