Hide Forgot
Description of problem: After update to RHEL 7.3, zabbix stopped working. The zabbix agent is not able to run setrlimit syscall as it is denied by selinux policy. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-102.el7.noarch zabbix-agent-3.2.1-1.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Update to RHEL 7.3 2. Start the zabbix-agent service Actual results: Service start failed. $ ausearch -i -m avc -if var/log/audit/audit.log | head -n 4 ---- type=SYSCALL msg=audit(11/07/16 00:30:26.452:96350) : arch=x86_64 syscall=setrlimit success=no exit=-13(Permission denied) a0=RLIMIT_CORE a1=0x7ffe3e023a10 a2=0x0 a3=0x7ffe3e023790 items=0 ppid=1 pid=21822 auid=unset uid=openvpn gid=chrony euid=openvpn suid=openvpn fsuid=openvpn egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=(null) type=AVC msg=audit(11/07/16 00:30:26.452:96350) : avc: denied { setrlimit } for pid=21822 comm=zabbix_agentd context=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process ---- Expected results: <no avc found> Additional info: Worked in RHEL up to 7.2. See also some difference in policy: rhel 7.2: # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A Found 1 semantic av rules: allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getsession setpgid getcap getattr setrlimit } ; rhel 7.3: # sesearch -s zabbix_agent_t -t zabbix_agent_t -c process -A Found 1 semantic av rules: allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap } ;
*** Bug 1398721 has been marked as a duplicate of this bug. ***
I'm also seeing this bug. Seems to be the same as described in: https://bugzilla.redhat.com/show_bug.cgi?id=1323518 https://bugzilla.redhat.com/show_bug.cgi?id=1349998
*** Bug 1415323 has been marked as a duplicate of this bug. ***
why is this sill in VERIFIED state? Reading https://fedoraproject.org/wiki/BugZappers/BugStatusWorkFlow#VERIFIED i would expect that the update should have been released?
This is a RHEL bug, RHEL workflow is different from Fedora. selinux-policy packages which contain the fix will be available as soon as RHEL-7.4 goes out.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861
Customer is hitting a problem with this: "..it seems there is one additional rule that is still missing in latest selinux-policy with RHEL74: Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc: denied { dac_override } for pid=27275 comm="zabbix_agentd" capability=1 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability Aug 08 10:22:00 ld-dbn-cddkr001 kernel: type=1400 audit(1502205720.446:25105): avc: denied { dac_read_search } for pid=27275 comm="zabbix_agentd" capability=2 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=capability Aug 08 10:22:00 ld-dbn-cddkr001 zabbix_agentd[27275]: zabbix_agentd [27275]: cannot open config file "/etc/zabbix/zabbix_agentd.conf": [13] Permission denied We would need redhat to add the following rule into future selinux-policy: allow zabbix_agent_t zabbix_agent_t : capability { dac_override dac_read_search } ;" Do you want me to open a new bug for this? Or should this be appended to this one? Thanks!
(In reply to Blair Aitken from comment #10) > > Do you want me to open a new bug for this? Or should this be appended to > this one? > > Thanks! Blair, Open a new BZ and attach the raw audit logs.