Bug 1211520
| Summary: | pmcd daemon (from pcp suite) requires access to mariadb's socket | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Miloš Prchlík <mprchlik> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Stefan Kremen <skremen> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.1 | CC: | jaster, lvrabec, mgrepl, mmalik, plautrba, pvrabec, skremen, ssekidde | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-31.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1233241 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 10:31:30 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1233241 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Description of problem: When user wants to monitor MariaDB (or MySQL) state using PCP, pmdamysql agent is available for this task. It connects to running database server instance and queries several runtime statistics. Unfortunately pmcd daemon that actually runs pmdamysql is now allowed to access databaze server's socket: type=AVC msg=audit(1428587242.784:1279): avc: denied { write } for pid=57064 comm="perl" name="mysql.sock" dev="dm-0" ino=101577429 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1428587242.784:1279): avc: denied { connectto } for pid=57064 comm="perl" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1428587242.784:1279): arch=80000016 syscall=102 success=yes exit=0 a0=3 a1=3ffffee59a8 a2=0 a3=3fffcf3c7f8 items=0 ppid=55926 pid=57064 auid=4294967295 uid=996 gid=995 euid=996 suid=996 fsuid=996 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system _u:system_r:pcp_pmcd_t:s0 key=(null) I used this policy as a workaround (created using audit2allow -m pmdamysql-mysql-socket): module pmdamysql-mysql-socket 1.0; require { type mysqld_db_t; type mysqld_t; type mysqld_var_run_t; type pcp_pmcd_t; class sock_file write; class unix_stream_socket connectto; class dir search; } #============= pcp_pmcd_t ============== allow pcp_pmcd_t mysqld_db_t:dir search; #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow pcp_pmcd_t mysqld_t:unix_stream_socket connectto; allow pcp_pmcd_t mysqld_var_run_t:sock_file write; Version-Release number of selected component (if applicable): mariadb-server-5.5.41-2.el7_0 selinux-policy-3.13.1-23.el7 pcp-3.9.10-8.el7 How reproducible: Steps to Reproduce: 1. systemctl start pmcd.service 2. systemctl start mariadb.service 2. cd /var/lib/pcp/pmdas/mysql 3. ./Install (press 'b' for "both collector and monitor") 4. pminfo -f mysql.status.com_select Actual results: pminfo command should yield this output: mysql.status.com_select Error: Metric not supported by this version of monitored application "Unsupported" is caused by pmdamysql not being able to connect to database server. Also, /var/log/pcp/pmcd/mysql.log will report failed connections to a MySQL server: "DBI connect('mysql','dbmonitor',...) failed: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) at /var/lib/pcp/pmdas/mysql/pmdamysql.pl line 61." When ran in selinux permissive mode, above mentioned AVCs will pop out. Expected results: pminfo should present something like this (# of executed SELECT commands): mysql.status.com_select value 2 Also no errors in /var/log/pcp/pmcd/mysql.log. no AVCs in persmissive mode. Additional info: