Bug 1415323 - Zabbix-agent 3.0.7-1.el7 selinux policy missing TE (Type Enforcement) rule
Summary: Zabbix-agent 3.0.7-1.el7 selinux policy missing TE (Type Enforcement) rule
Keywords:
Status: CLOSED DUPLICATE of bug 1393332
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-20 21:04 UTC by Kyle Hamilton
Modified: 2017-02-01 13:54 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-01 13:54:21 UTC
Target Upstream Version:


Attachments (Terms of Use)
audit2allow -w -a output (785.25 KB, text/plain)
2017-01-20 21:04 UTC, Kyle Hamilton
no flags Details

Description Kyle Hamilton 2017-01-20 21:04:59 UTC
Created attachment 1243002 [details]
audit2allow -w -a output

Description of problem:
  Cannot start zabbix-agent with selinux enforcing after updating to 3.0.7-1.el7

Version-Release number of selected component (if applicable):
  3.0.7-1.el7

How reproducible:
  Happened on 3 of my servers right after update

Steps to Reproduce:
1. Update to zabbix-agent 3/0/7-1.el7
2. Run systemctl start zabbix-agent

Actual results:
  Service fails to start

Expected results:
  Service starts

Additional info:
  Reporting because this page told me to: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html


##### sudo audit2allow -a #####

#============= logrotate_t ==============
allow logrotate_t init_t:service reload;

#============= named_t ==============

#!!!! This avc can be allowed using the boolean 'named_write_master_zones'
allow named_t named_zone_t:dir write;

#============= systemd_sysctl_t ==============
allow systemd_sysctl_t user_home_t:file read;

#============= unconfined_t ==============
allow unconfined_t init_t:service enable;
allow unconfined_t zabbix_agent_t:file relabelto;

#============= zabbix_agent_t ==============
allow zabbix_agent_t self:process setrlimit;


#####  #####

Comment 2 Milos Malik 2017-01-23 05:51:20 UTC
#============= zabbix_agent_t ==============
allow zabbix_agent_t self:process setrlimit;

Is already reported in BZ#1393332.

Comment 3 Lukas Vrabec 2017-02-01 13:54:21 UTC

*** This bug has been marked as a duplicate of bug 1393332 ***


Note You need to log in before you can comment on or make changes to this bug.