Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1393332

Summary: unable to start zabbix agent after upgrade to RHEL 7.3
Product: Red Hat Enterprise Linux 7 Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: alwin.laureijs, baitken, desintegr, ewu, fabian.arrotin, gfdsa, iav, jkhradil, khamil8686, lvrabec, mdavis, mgrepl, mmalik, mueller, pasik, pgacek, plautrba, pvrabec, redhat, robin.bjorklin, ssekidde
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1425309 (view as bug list) Environment:
Last Closed: 2017-08-01 15:17:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1393066, 1420851    

Description Zdenek Pytela 2016-11-09 10:54:00 UTC 
Description of problem:
After update to RHEL 7.3, zabbix stopped working. The zabbix agent is not able to run setrlimit syscall as it is denied by selinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7.noarch
zabbix-agent-3.2.1-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Update to RHEL 7.3
2. Start the zabbix-agent service

Actual results:
Service start failed.
$ ausearch -i -m avc -if var/log/audit/audit.log | head -n 4
    ----
    type=SYSCALL msg=audit(11/07/16 00:30:26.452:96350) : arch=x86_64 syscall=setrlimit success=no exit=-13(Permission denied) a0=RLIMIT_CORE a1=0x7ffe3e023a10 a2=0x0 a3=0x7ffe3e023790 items=0 ppid=1 pid=21822 auid=unset uid=openvpn gid=chrony euid=openvpn suid=openvpn fsuid=openvpn egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
    type=AVC msg=audit(11/07/16 00:30:26.452:96350) : avc:  denied  { setrlimit } for  pid=21822 comm=zabbix_agentd context=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process
    ----

Expected results:
<no avc found>

Additional info:
Worked in RHEL up to 7.2. See also some difference in policy:

rhel 7.2:
    # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A
    Found 1 semantic av rules:
       allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getsession setpgid getcap getattr setrlimit } ;
     
rhel 7.3:
    # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A
    Found 1 semantic av rules:
       allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap } ;
Comment 2 Lukas Vrabec 2016-11-28 09:24:04 UTC 
*** Bug 1398721 has been marked as a duplicate of this bug. ***
Comment 3 Robin 2017-01-11 08:47:47 UTC 
I'm also seeing this bug. Seems to be the same as described in:

https://bugzilla.redhat.com/show_bug.cgi?id=1323518
https://bugzilla.redhat.com/show_bug.cgi?id=1349998
Comment 4 Lukas Vrabec 2017-02-01 13:54:21 UTC 
*** Bug 1415323 has been marked as a duplicate of this bug. ***
Comment 7 Thomas Mueller 2017-05-26 07:09:53 UTC 
why is this sill in VERIFIED state? 

Reading https://fedoraproject.org/wiki/BugZappers/BugStatusWorkFlow#VERIFIED i would expect that the update should have been released?
Comment 8 Milos Malik 2017-05-26 07:37:19 UTC 
This is a RHEL bug, RHEL workflow is different from Fedora. selinux-policy packages which contain the fix will be available as soon as RHEL-7.4 goes out.
Comment 9 errata-xmlrpc 2017-08-01 15:17:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861
Comment 10 Blair Aitken 2017-08-08 16:38:40 UTC 
Customer is hitting a problem with this:

"..it seems there is one additional rule that is still missing in latest selinux-policy with RHEL74:

Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc:  denied  { dac_override } for  pid=27275 comm="zabbix_agentd" capability=1  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc:  denied  { dac_read_search } for  pid=27275 comm="zabbix_agentd" capability=2  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 zabbix_agentd[27275]: zabbix_agentd [27275]: cannot open config file "/etc/zabbix/zabbix_agentd.conf": [13] Permission denied

We would need redhat to add the following rule into future selinux-policy:

allow zabbix_agent_t zabbix_agent_t : capability { dac_override dac_read_search } ;"


Do you want me to open a new bug for this? Or should this be appended to this one?

Thanks!
Comment 11 Simon Sekidde 2017-08-10 13:37:31 UTC 
(In reply to Blair Aitken from comment #10)
>
> Do you want me to open a new bug for this? Or should this be appended to
> this one?
> 
> Thanks!

Blair, 

Open a new BZ and attach the raw audit logs.