1393332 – unable to start zabbix agent after upgrade to RHEL 7.3

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1393332 - unable to start zabbix agent after upgrade to RHEL 7.3

Summary: unable to start zabbix agent after upgrade to RHEL 7.3

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1398721 1415323 (view as bug list)
Depends On:
Blocks:	1393066 1420851
TreeView+	depends on / blocked

Reported:	2016-11-09 10:54 UTC by Zdenek Pytela
Modified:	2020-09-10 09:56 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1425309 (view as bug list)
Environment:
Last Closed:	2017-08-01 15:17:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2758511	0	None	None	None	2016-11-09 13:01:14 UTC
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Zdenek Pytela 2016-11-09 10:54:00 UTC

Description of problem:
After update to RHEL 7.3, zabbix stopped working. The zabbix agent is not able to run setrlimit syscall as it is denied by selinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7.noarch
zabbix-agent-3.2.1-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Update to RHEL 7.3
2. Start the zabbix-agent service

Actual results:
Service start failed.
$ ausearch -i -m avc -if var/log/audit/audit.log | head -n 4
    ----
    type=SYSCALL msg=audit(11/07/16 00:30:26.452:96350) : arch=x86_64 syscall=setrlimit success=no exit=-13(Permission denied) a0=RLIMIT_CORE a1=0x7ffe3e023a10 a2=0x0 a3=0x7ffe3e023790 items=0 ppid=1 pid=21822 auid=unset uid=openvpn gid=chrony euid=openvpn suid=openvpn fsuid=openvpn egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
    type=AVC msg=audit(11/07/16 00:30:26.452:96350) : avc:  denied  { setrlimit } for  pid=21822 comm=zabbix_agentd context=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process
    ----

Expected results:
<no avc found>

Additional info:
Worked in RHEL up to 7.2. See also some difference in policy:

rhel 7.2:
    # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A
    Found 1 semantic av rules:
       allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getsession setpgid getcap getattr setrlimit } ;
     
rhel 7.3:
    # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A
    Found 1 semantic av rules:
       allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap } ;

Comment 2 Lukas Vrabec 2016-11-28 09:24:04 UTC

*** Bug 1398721 has been marked as a duplicate of this bug. ***

Comment 3 Robin 2017-01-11 08:47:47 UTC

I'm also seeing this bug. Seems to be the same as described in:

https://bugzilla.redhat.com/show_bug.cgi?id=1323518
https://bugzilla.redhat.com/show_bug.cgi?id=1349998

Comment 4 Lukas Vrabec 2017-02-01 13:54:21 UTC

*** Bug 1415323 has been marked as a duplicate of this bug. ***

Comment 7 Thomas Mueller 2017-05-26 07:09:53 UTC

why is this sill in VERIFIED state? 

Reading https://fedoraproject.org/wiki/BugZappers/BugStatusWorkFlow#VERIFIED i would expect that the update should have been released?

Comment 8 Milos Malik 2017-05-26 07:37:19 UTC

This is a RHEL bug, RHEL workflow is different from Fedora. selinux-policy packages which contain the fix will be available as soon as RHEL-7.4 goes out.

Comment 9 errata-xmlrpc 2017-08-01 15:17:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Comment 10 Blair Aitken 2017-08-08 16:38:40 UTC

Customer is hitting a problem with this:

"..it seems there is one additional rule that is still missing in latest selinux-policy with RHEL74:

Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc:  denied  { dac_override } for  pid=27275 comm="zabbix_agentd" capability=1  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc:  denied  { dac_read_search } for  pid=27275 comm="zabbix_agentd" capability=2  scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability
Aug 08 10:22:00 ld-dbn-cddkr001 zabbix_agentd[27275]: zabbix_agentd [27275]: cannot open config file "/etc/zabbix/zabbix_agentd.conf": [13] Permission denied

We would need redhat to add the following rule into future selinux-policy:

allow zabbix_agent_t zabbix_agent_t : capability { dac_override dac_read_search } ;"


Do you want me to open a new bug for this? Or should this be appended to this one?

Thanks!

Comment 11 Simon Sekidde 2017-08-10 13:37:31 UTC

(In reply to Blair Aitken from comment #10)
>
> Do you want me to open a new bug for this? Or should this be appended to
> this one?
> 
> Thanks!

Blair, 

Open a new BZ and attach the raw audit logs.

Note You need to log in before you can comment on or make changes to this bug.

alwin.laureijs
baitken
desintegr
ewu
fabian.arrotin
gfdsa
iav
jkhradil
khamil8686
lvrabec
mdavis
mgrepl
mmalik
mueller
pasik
pgacek
plautrba
pvrabec
redhat
robin.bjorklin
ssekidde