Bug 1000166

Summary: collectd-python: SELinux is preventing /usr/sbin/collectd from read access on the file /etc/passwd.
Product: [Fedora] Fedora Reporter: Piotr Popieluch <piotr1212>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-73.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-24 22:28:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux module .te file none

Description Piotr Popieluch 2013-08-22 20:41:03 UTC 
Created attachment 789361 [details]
selinux module .te file

Description of problem:
When using any python collectd plugin selinux blocks collectd from reading and opening /etc/passwd. 
It seems that python tries to do a getpwuid() which fails:

Aug 22 21:31:20 fedora19 systemd[1]: Starting Collectd...
Aug 22 21:31:20 fedora19 systemd[1]: Started Collectd.
Aug 22 21:31:20 fedora19 collectd[1470]: Traceback (most recent call last):
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 552, in <module>
Aug 22 21:31:20 fedora19 collectd[1470]: main()
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 534, in main
Aug 22 21:31:20 fedora19 collectd[1470]: known_paths = addusersitepackages(known_paths)
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 266, in addusersitepackages
Aug 22 21:31:20 fedora19 collectd[1470]: user_site = getusersitepackages()
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 241, in getusersitepackages
Aug 22 21:31:20 fedora19 collectd[1470]: user_base = getuserbase() # this will also set USER_BASE
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 231, in getuserbase
Aug 22 21:31:20 fedora19 collectd[1470]: USER_BASE = get_config_var('userbase')
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 516, in get_config_var
Aug 22 21:31:21 fedora19 collectd[1470]: return get_config_vars().get(name)
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 473, in get_config_vars
Aug 22 21:31:21 fedora19 collectd[1470]: _CONFIG_VARS['userbase'] = _getuserbase()
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 187, in _getuserbase
Aug 22 21:31:21 fedora19 collectd[1470]: return env_base if env_base else joinuser("~", ".local")
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 173, in joinuser
Aug 22 21:31:21 fedora19 collectd[1470]: return os.path.expanduser(os.path.join(*args))
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/posixpath.py", line 269, in expanduser
Aug 22 21:31:21 fedora19 collectd[1470]: userhome = pwd.getpwuid(os.getuid()).pw_dir
Aug 22 21:31:21 fedora19 collectd[1470]: KeyError: 'getpwuid(): uid not found: 0'
Aug 22 21:31:21 fedora19 systemd[1]: collectd.service: main process exited, code=exited, status=1/FAILURE
Aug 22 21:31:21 fedora19 systemd[1]: Unit collectd.service entered failed state.
Aug 22 21:31:21 fedora19 setroubleshoot: SELinux is preventing /usr/sbin/collectd from read access on the file /etc/passwd. For complete SELinux messages. run sealert -l adc00699-ae23-4b45-b9f7-93c1761ae1a8


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-71.fc19
collectd-5.2.1-1.fc19.i686


How reproducible:
Run collectd with any python plugin.

Steps to Reproduce:
1. Install any python plugin in collectd. (i'm using this one https://collectd.org/wiki/index.php/Gearman but problem exists with any python collectd module)
2. start collectd

Actual results:
collectd crashes, /var/log/messages shows:
SELinux is preventing /usr/sbin/collectd from read access on the file /etc/passwd.
SELinux is preventing /usr/sbin/collectd from open access on the file /etc/passwd.



Expected results:
collectd to run properly.

Additional info:
audit2allow generates the following module which fixes the problem:

grep collectd /var/log/audit/audit.log | audit2allow -M collectd_python
cat collectd_python.te 

module collectd_python 1.0;

require {
	type collectd_t;
	type passwd_file_t;
	class file { read open };
}

#============= collectd_t ==============
allow collectd_t passwd_file_t:file { read open };
Comment 1 Lukas Vrabec 2013-08-23 08:10:19 UTC 
Hi Piotr, 

Could you paste here your AVC logs relating to collectd?
Comment 3 Fedora Update System 2013-08-23 15:12:53 UTC 
selinux-policy-3.12.1-73.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-73.fc19
Comment 4 Fedora Update System 2013-08-23 23:59:31 UTC 
Package selinux-policy-3.12.1-73.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-73.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15219/selinux-policy-3.12.1-73.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-08-24 22:28:52 UTC 
selinux-policy-3.12.1-73.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.