Bug 1393332 - unable to start zabbix agent after upgrade to RHEL 7.3
Summary: unable to start zabbix agent after upgrade to RHEL 7.3
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords: Regression
: 1398721 1415323 (view as bug list)
Depends On:
Blocks: 1393066 1420851
TreeView+ depends on / blocked
 
Reported: 2016-11-09 10:54 UTC by Zdenek Pytela
Modified: 2017-08-14 15:38 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1425309 (view as bug list)
Environment:
Last Closed: 2017-08-01 15:17:42 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC
Red Hat Knowledge Base (Solution) 2758511 None None None 2016-11-09 13:01 UTC

Description Zdenek Pytela 2016-11-09 10:54:00 UTC
Description of problem:
After update to RHEL 7.3, zabbix stopped working. The zabbix agent is not able to run setrlimit syscall as it is denied by selinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7.noarch
zabbix-agent-3.2.1-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Update to RHEL 7.3
2. Start the zabbix-agent service

Actual results:
Service start failed.
$ ausearch -i -m avc -if var/log/audit/audit.log | head -n 4
    ----
    type=SYSCALL msg=audit(11/07/16 00:30:26.452:96350) : arch=x86_64 syscall=setrlimit success=no exit=-13(Permission denied) a0=RLIMIT_CORE a1=0x7ffe3e023a10 a2=0x0 a3=0x7ffe3e023790 items=0 ppid=1 pid=21822 auid=unset uid=openvpn gid=chrony euid=openvpn suid=openvpn fsuid=openvpn egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
    type=AVC msg=audit(11/07/16 00:30:26.452:96350) : avc:  denied  { setrlimit } for  pid=21822 comm=zabbix_agentd context=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process
    ----

Expected results:
<no avc found>

Additional info:
Worked in RHEL up to 7.2. See also some difference in policy:

rhel 7.2:
    # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A
    Found 1 semantic av rules:
       allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getsession setpgid getcap getattr setrlimit } ;
     
rhel 7.3:
    # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A
    Found 1 semantic av rules:
       allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap } ;

Comment 2 Lukas Vrabec 2016-11-28 09:24:04 UTC
*** Bug 1398721 has been marked as a duplicate of this bug. ***

Comment 3 Robin 2017-01-11 08:47:47 UTC
I'm also seeing this bug. Seems to be the same as described in:

https://bugzilla.redhat.com/show_bug.cgi?id=1323518
https://bugzilla.redhat.com/show_bug.cgi?id=1349998

Comment 4 Lukas Vrabec 2017-02-01 13:54:21 UTC
*** Bug 1415323 has been marked as a duplicate of this bug. ***

Comment 7 Thomas Mueller 2017-05-26 07:09:53 UTC
why is this sill in VERIFIED state? 

Reading https://fedoraproject.org/wiki/BugZappers/BugStatusWorkFlow#VERIFIED i would expect that the update should have been released?

Comment 8 Milos Malik 2017-05-26 07:37:19 UTC
This is a RHEL bug, RHEL workflow is different from Fedora. selinux-policy packages which contain the fix will be available as soon as RHEL-7.4 goes out.

Comment 9 errata-xmlrpc 2017-08-01 15:17:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Comment 10 Blair Aitken 2017-08-08 16:38:40 UTC
Customer is hitting a problem with this:

"..it seems there is one additional rule that is still missing in latest selinux-policy with RHEL74:

Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc:  denied  { dac_override } for  pid=27275 comm="zabbix_agentd" capability=1  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc:  denied  { dac_read_search } for  pid=27275 comm="zabbix_agentd" capability=2  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 zabbix_agentd[27275]: zabbix_agentd [27275]: cannot open config file "/etc/zabbix/zabbix_agentd.conf": [13] Permission denied

We would need redhat to add the following rule into future selinux-policy:

allow zabbix_agent_t zabbix_agent_t : capability { dac_override dac_read_search } ;"


Do you want me to open a new bug for this? Or should this be appended to this one?

Thanks!

Comment 11 Simon Sekidde 2017-08-10 13:37:31 UTC
(In reply to Blair Aitken from comment #10)
>
> Do you want me to open a new bug for this? Or should this be appended to
> this one?
> 
> Thanks!

Blair, 

Open a new BZ and attach the raw audit logs.


Note You need to log in before you can comment on or make changes to this bug.