Bug 1393332 - unable to start zabbix agent after upgrade to RHEL 7.3
unable to start zabbix agent after upgrade to RHEL 7.3
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
: Regression
: 1398721 1415323 (view as bug list)
Depends On:
Blocks: 1393066 1420851
  Show dependency treegraph
 
Reported: 2016-11-09 05:54 EST by Zdenek Pytela
Modified: 2017-08-14 11:38 EDT (History)
21 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1425309 (view as bug list)
Environment:
Last Closed: 2017-08-01 11:17:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2758511 None None None 2016-11-09 08:01 EST
Red Hat Product Errata RHBA-2017:1861 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 13:50:24 EDT

  None (edit)
Description Zdenek Pytela 2016-11-09 05:54:00 EST
Description of problem:
After update to RHEL 7.3, zabbix stopped working. The zabbix agent is not able to run setrlimit syscall as it is denied by selinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7.noarch
zabbix-agent-3.2.1-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Update to RHEL 7.3
2. Start the zabbix-agent service

Actual results:
Service start failed.
$ ausearch -i -m avc -if var/log/audit/audit.log | head -n 4
    ----
    type=SYSCALL msg=audit(11/07/16 00:30:26.452:96350) : arch=x86_64 syscall=setrlimit success=no exit=-13(Permission denied) a0=RLIMIT_CORE a1=0x7ffe3e023a10 a2=0x0 a3=0x7ffe3e023790 items=0 ppid=1 pid=21822 auid=unset uid=openvpn gid=chrony euid=openvpn suid=openvpn fsuid=openvpn egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
    type=AVC msg=audit(11/07/16 00:30:26.452:96350) : avc:  denied  { setrlimit } for  pid=21822 comm=zabbix_agentd context=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process
    ----

Expected results:
<no avc found>

Additional info:
Worked in RHEL up to 7.2. See also some difference in policy:

rhel 7.2:
    # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A
    Found 1 semantic av rules:
       allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getsession setpgid getcap getattr setrlimit } ;
     
rhel 7.3:
    # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A
    Found 1 semantic av rules:
       allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap } ;
Comment 2 Lukas Vrabec 2016-11-28 04:24:04 EST
*** Bug 1398721 has been marked as a duplicate of this bug. ***
Comment 3 Robin 2017-01-11 03:47:47 EST
I'm also seeing this bug. Seems to be the same as described in:

https://bugzilla.redhat.com/show_bug.cgi?id=1323518
https://bugzilla.redhat.com/show_bug.cgi?id=1349998
Comment 4 Lukas Vrabec 2017-02-01 08:54:21 EST
*** Bug 1415323 has been marked as a duplicate of this bug. ***
Comment 7 Thomas Mueller 2017-05-26 03:09:53 EDT
why is this sill in VERIFIED state? 

Reading https://fedoraproject.org/wiki/BugZappers/BugStatusWorkFlow#VERIFIED i would expect that the update should have been released?
Comment 8 Milos Malik 2017-05-26 03:37:19 EDT
This is a RHEL bug, RHEL workflow is different from Fedora. selinux-policy packages which contain the fix will be available as soon as RHEL-7.4 goes out.
Comment 9 errata-xmlrpc 2017-08-01 11:17:42 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861
Comment 10 Blair Aitken 2017-08-08 12:38:40 EDT
Customer is hitting a problem with this:

"..it seems there is one additional rule that is still missing in latest selinux-policy with RHEL74:

Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc:  denied  { dac_override } for  pid=27275 comm="zabbix_agentd" capability=1  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc:  denied  { dac_read_search } for  pid=27275 comm="zabbix_agentd" capability=2  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 zabbix_agentd[27275]: zabbix_agentd [27275]: cannot open config file "/etc/zabbix/zabbix_agentd.conf": [13] Permission denied

We would need redhat to add the following rule into future selinux-policy:

allow zabbix_agent_t zabbix_agent_t : capability { dac_override dac_read_search } ;"


Do you want me to open a new bug for this? Or should this be appended to this one?

Thanks!
Comment 11 Simon Sekidde 2017-08-10 09:37:31 EDT
(In reply to Blair Aitken from comment #10)
>
> Do you want me to open a new bug for this? Or should this be appended to
> this one?
> 
> Thanks!

Blair, 

Open a new BZ and attach the raw audit logs.

Note You need to log in before you can comment on or make changes to this bug.