Bug 1206525
| Summary: | pmie and pmlogger do not run in dedicated domains | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Jan Zarsky <jzarsky> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.3 | CC: | lmiksik, lvrabec, mgrepl, mmalik, mprchlik, pdwyer, plautrba, pvrabec, ssekidde, tlavigne | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.13.1-98.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-11-04 02:18:07 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Milos Malik
2015-03-27 11:01:28 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions As automated TC (/CoreOS/selinux-policy/Regression/pcp-daemons-and-similar) found out, pmlogger and pmie still runs as unconfined_service_t when started by systemd. Version-Release number of selected component (if applicable): pcp-3.11.3-4.el7.ppc64 selinux-policy-3.13.1-96.el7.noarch Actual results: # grep "ExecStart" /usr/lib/systemd/system/pmie.service ExecStart=/usr/share/pcp/lib/pmie start # matchpathcon /usr/share/pcp/lib/pmie /usr/share/pcp/lib/pmie system_u:object_r:lib_t:s0 # grep "ExecStart" /usr/lib/systemd/system/pmlogger.service ExecStart=/usr/share/pcp/lib/pmlogger start # matchpathcon /usr/share/pcp/lib/pmlogger /usr/share/pcp/lib/pmlogger system_u:object_r:lib_t:s0 Expected results: # matchpathcon /usr/share/pcp/lib/pmlogger /usr/share/pcp/lib/pmlogger system_u:object_r:pcp_pmlogger_exec_t:s0 # matchpathcon /usr/share/pcp/lib/pmie /usr/share/pcp/lib/pmie system_u:object_r:pcp_pmie_exec_t:s0 Could not start pmlogger service, getting AVCs. Service pmie starts fine.
Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-97.el7.noarch
pcp-3.11.3-4.el7.x86_64
Actual results:
# systemctl start pmcd
# systemctl start pmlogger
Job for pmlogger.service failed because the control process exited with error code. See "systemctl status pmlogger.service" and "journalctl -xe" for details.
Running in enforcing mode:
# systemctl status pmlogger
● pmlogger.service - Performance Metrics Archive Logger
Loaded: loaded (/usr/lib/systemd/system/pmlogger.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2016-09-07 04:15:19 EDT; 8s ago
Docs: man:pmlogger(1)
Process: 25967 ExecStop=/usr/share/pcp/lib/pmlogger stop (code=exited, status=1/FAILURE)
Process: 25975 ExecStart=/usr/share/pcp/lib/pmlogger start (code=exited, status=1/FAILURE)
Main PID: 25975 (code=exited, status=1/FAILURE)
Sep 07 04:15:19 qeos-124.lab.eng.rdu2.redhat.com systemd[1]: Unit pmlogger.service entered failed state.
Sep 07 04:15:19 qeos-124.lab.eng.rdu2.redhat.com systemd[1]: pmlogger.service failed.
Sep 07 04:15:19 qeos-124.lab.eng.rdu2.redhat.com systemd[1]: Starting Performance Metrics Archive Logger...
Sep 07 04:15:19 qeos-124.lab.eng.rdu2.redhat.com pmlogger[25975]: /etc/pcp.env: line 46: /usr/bin/sed: Permission denied
Sep 07 04:15:19 qeos-124.lab.eng.rdu2.redhat.com pmlogger[25975]: /etc/pcp.env: line 46: /usr/bin/awk: Permission denied
Sep 07 04:15:19 qeos-124.lab.eng.rdu2.redhat.com pmlogger[25975]: /usr/share/pcp/lib/pmlogger: line 37: /lib/rc-proc.sh: No such file or directory
Sep 07 04:15:19 qeos-124.lab.eng.rdu2.redhat.com systemd[1]: pmlogger.service: main process exited, code=exited, status=1/FAILURE
Sep 07 04:15:19 qeos-124.lab.eng.rdu2.redhat.com systemd[1]: Failed to start Performance Metrics Archive Logger.
Sep 07 04:15:19 qeos-124.lab.eng.rdu2.redhat.com systemd[1]: Unit pmlogger.service entered failed state.
Sep 07 04:15:19 qeos-124.lab.eng.rdu2.redhat.com systemd[1]: pmlogger.service failed.
# ausearch -m avc
----
time->Wed Sep 7 04:01:38 2016
type=SYSCALL msg=audit(1473235298.845:356): arch=c000003e syscall=2 success=no exit=-13 a0=7fdbba82aa5d a1=80000 a2=1b6 a3=24 items=0 ppid=1 pid=8924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pmlogger" exe="/usr/bin/bash" subj=system_u:system_r:pcp_pmlogger_t:s0 key=(null)
type=AVC msg=audit(1473235298.845:356): avc: denied { read } for pid=8924 comm="pmlogger" name="meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Wed Sep 7 04:01:38 2016
type=SYSCALL msg=audit(1473235298.847:357): arch=c000003e syscall=21 success=no exit=-13 a0=11e74c0 a1=1 a2=7ffc7f36b670 a3=7ffc7f36b4c0 items=0 ppid=8925 pid=8926 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pmlogger" exe="/usr/bin/bash" subj=system_u:system_r:pcp_pmlogger_t:s0 key=(null)
type=AVC msg=audit(1473235298.847:357): avc: denied { execute } for pid=8926 comm="pmlogger" name="sed" dev="dm-1" ino=3681 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
... (lots of similar 'denied { execute }' for tcontext bin_t)
# ausearch -m avc | audit2allow
#============= pcp_pmlogger_t ==============
#!!!! WARNING: 'bin_t' is a base type.
allow pcp_pmlogger_t bin_t:file execute;
allow pcp_pmlogger_t proc_t:file read;
Running in permissive mode:
# ausearch -m avc
(too long - see attachment)
# ausearch -m avc | audit2allow
#============= pcp_pmlogger_t ==============
#!!!! WARNING: 'bin_t' is a base type.
allow pcp_pmlogger_t bin_t:file { execute execute_no_trans };
allow pcp_pmlogger_t hostname_exec_t:file { execute execute_no_trans getattr open read };
#!!!! The file '/run/systemd/private' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/systemd/private
allow pcp_pmlogger_t init_t:unix_stream_socket connectto;
allow pcp_pmlogger_t initrc_var_run_t:file { lock open read };
allow pcp_pmlogger_t proc_t:dir read;
allow pcp_pmlogger_t proc_t:file { getattr open read };
allow pcp_pmlogger_t self:capability { chown net_admin };
#!!!! WARNING: 'shell_exec_t' is a base type.
allow pcp_pmlogger_t shell_exec_t:file { execute execute_no_trans };
allow pcp_pmlogger_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read };
allow pcp_pmlogger_t systemd_unit_file_t:file getattr;
Created attachment 1198579 [details]
AVCs when starting pmlogger in permissive mode
*** Bug 1377804 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |