If you're using CentOS, you probably noticed that we have a CR repository containing all the built packages for the next minor release, so that people can "opt-in" and already use those packages, before they are released with the full installable tree and iso images.

Using those packages on a subset of your nodes can be interesting, as it permits you to catch some errors/issues/conflicts before the official release (and so symlink on mirrors being changed to that new major.minor version)

For example, I tested myself some roles and found an issue with zabbix-agent refusing to start on a node fully updated/rebooted with CR pkgs (so what will become 7.3.1611 release). The issue was due to selinux denying something (that was allowed in previous policy)

Here is what selinux had to say about it :

type=AVC msg=audit(1480001303.440:2626): avc:  denied  { setrlimit } for  pid=22682 comm="zabbix_agentd" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process

It's true that there was an update for selinux policy : from selinux-policy-3.13.1-60.el7_2.9.noarch to selinux-policy-3.13.1-102.el7.noarch.

What's interesting is that I found the reported issue at Zabbix side, but for zabbix-server (here it's the agent, server is running fine) : ZBX-10542

Clearly something that was working before and now denied, so I created a bug report and hopefully one fix will come in an updated selinux-policy package. But I doubt that it will be available soon.

So in the mean time, what you have to do is :

  • either put zabbix_agent_t into permissive mode with semanage permissive -a zabbix_agent_t
  • either build and distribute a custom selinux policy in your infra (preferred method for me)

For those interested, the following .te (type enforcement) will allow you to build a custom .pp selinux policy file (that you can load with semodule) :

module local-zabbix 1.0;

require {
    type zabbix_agent_t;
    class process setrlimit;

#============= zabbix_agent_t ==============
allow zabbix_agent_t self:process setrlimit;

You can now use your configuration management platform to distribute that built .pp policy (you don't need to build it on every node). I'll not dive into details, but I wrote some slides around this (for Ansible and Puppet) for a talk I gave some time ago, so feel free to read those, especially the last slides (with examples)