Bug 1213709
| Summary: | pcp: root pmda needs access to /var/lib/pcp/tmp/pmcd/root.socket | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Miloš Prchlík <mprchlik> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.1 | CC: | lvrabec, mgrepl, mmalik, pkis, plautrba, pvrabec, ssekidde | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-31.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1232193 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 10:32:47 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1232193 | |||
[root@rhel70 ~]# rpm -q selinux-policy
selinux-policy-3.13.1-27.el7.noarch
[root@rhel70 ~]# audit2allow
type=AVC msg=audit(1429597620.493:1231): avc: denied { create } for pid=13788 comm="pmdaroot" name="root.socket" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1429597620.493:1232): avc: denied { write } for pid=13784 comm="pmcd" name="root.socket" dev="dm-1" ino=70380827 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1429597620.493:1232): avc: denied { connectto } for pid=13784 comm="pmcd" path="/var/lib/pcp/tmp/pmcd/root.socket" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1429597640.133:1234): avc: denied { unlink } for pid=13788 comm="pmdaroot" name="root.socket" dev="dm-1" ino=70380827 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=sock_file
#============= pcp_pmcd_t ==============
#!!!! This avc is allowed in the current policy
allow pcp_pmcd_t pcp_var_lib_t:sock_file { write create unlink };
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow pcp_pmcd_t self:unix_stream_socket connectto;
[root@rhel70 ~]#
The unix_stream_socket connectto is allowed via a boolean, is this intentional?
Please avoid the daemons_enable_cluster_mode boolean. It's meant for cluster purposes only. The scenario described in comment#0 should work even if the boolean is disabled, which means that the last rule suggested by audit2allow is still missing in selinux-policy-3.13.1-27.el7. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Description of problem: pmdaroot tries to create and use a unix socket, and this actions raise AVC denials: type=AVC msg=audit(1429597620.493:1231): avc: denied { create } for pid=13788 comm="pmdaroot" name="root.socket" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=sock_file type=AVC msg=audit(1429597620.493:1232): avc: denied { write } for pid=13784 comm="pmcd" name="root.socket" dev="dm-1" ino=70380827 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=sock_file type=AVC msg=audit(1429597620.493:1232): avc: denied { connectto } for pid=13784 comm="pmcd" path="/var/lib/pcp/tmp/pmcd/root.socket" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1429597640.133:1234): avc: denied { unlink } for pid=13788 comm="pmdaroot" name="root.socket" dev="dm-1" ino=70380827 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=sock_file [root@ibm-p730-02-lp3 root]# ls -alZ /var/lib/pcp/tmp/pmcd drwx------. root root system_u:object_r:pcp_var_lib_t:s0 . drwxrwxr-x. pcp pcp system_u:object_r:pcp_var_lib_t:s0 .. srwxr-xr-x. root root unconfined_u:object_r:pcp_var_lib_t:s0 root.socket Version-Release number of selected component (if applicable): selinux-policy-3.13.1-23.el7 pcp-3.10.4-1 (quite recent upstream build, this time taken from Fedora) How reproducible: Steps to Reproduce: 1. cd /var/lib/pcp/pmdas/root 2. ./Install 3. Actual results: Expected results: Additional info: