Bug 1219900

Summary:	no selinux policies for rrdtool, httpd accessing gmetad port, 8652
Product:	Red Hat Enterprise Linux 6	Reporter:	Dan Yocum <dyocum>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED WONTFIX	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.6	CC:	dwalsh, dyocum, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	1220663 1260536 (view as bug list)		Environment:
Last Closed:	2015-11-09 14:44:06 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Dan Yocum 2015-05-08 15:58:21 UTC

Description of problem:

Attempting to run ganglia-gmetad fails with selinux problems.

Issue #1:
	
type=AVC msg=audit(1380480812.081:1792): avc:  denied  { setattr } for  pid=5876 comm="rrdtool" name="fontconfig" dev=dm-1 ino=47054911 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir

solved by:

chcon -t httpd_sys_script_exec_t /usr/bin/rrdtool
chcon -t httpd_sys_content_t /var/lib/ganglia/rrds -R

and installing this this .te file as a work-around.

###
module rrdtool-setattr-fontconfig 1.0;

require {
        type httpd_t;
        type httpd_sys_script_t;
        type fonts_cache_t;
        class dir setattr;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t fonts_cache_t:dir setattr;

#============= httpd_t ==============
allow httpd_t fonts_cache_t:dir setattr;
###

Issue #2:

type=AVC msg=audit(1380480626.847:1764): avc:  denied  { name_connect } for  pid=2016 comm="httpd" dest=8652 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket


solved by installing this .te file:

###
module http-gangliagmetad-port 1.0;

require {
        type httpd_t;
        type port_t;
        class tcp_socket name_connect;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     allow_ypbind, httpd_can_network_connect
allow httpd_t port_t:tcp_socket name_connect;
###

For more reference see this URL:

http://maciek.lasyk.info/sysop/2013/09/29/selinux-ganglia-multicast-apache-rrds/

Comment 2 Milos Malik 2015-05-12 06:27:21 UTC

# rpm -qa selinux-policy\*
selinux-policy-3.7.19-265.el6.noarch
selinux-policy-targeted-3.7.19-265.el6.noarch
selinux-policy-doc-3.7.19-265.el6.noarch
selinux-policy-mls-3.7.19-265.el6.noarch
selinux-policy-minimum-3.7.19-265.el6.noarch
#

The 8652 port is not labeled in default policy:

# seinfo --portcon=8652
#

Comment 3 Milos Malik 2015-05-12 06:30:19 UTC

Following AVC appeared in enforcing mode:
----
type=SOCKADDR msg=audit(05/12/2015 08:25:00.856:95) : saddr=inet host:127.0.0.1 serv:8652 
type=SYSCALL msg=audit(05/12/2015 08:25:00.856:95) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x35 a1=0x7f48a4fb54e0 a2=0x10 a3=0x40 items=0 ppid=12067 pid=12288 auid=root uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 08:25:00.856:95) : avc:  denied  { name_connect } for  pid=12288 comm=httpd dest=8652 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket 
----

Following AVCs appeared in permissive mode:
----
type=PATH msg=audit(05/12/2015 08:27:35.360:122) : item=0 name=/var/lib/ganglia/dwoo/compiled/./ inode=77386 dev=fc:03 mode=dir,755 ouid=apache ogid=apache rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL 
type=CWD msg=audit(05/12/2015 08:27:35.360:122) :  cwd=/usr/share/ganglia 
type=SYSCALL msg=audit(05/12/2015 08:27:35.360:122) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7f48cd83ac30 a1=0777 a2=0x21 a3=0x7f48a4f51d28 items=1 ppid=12067 pid=12289 auid=root uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 08:27:35.360:122) : avc:  denied  { setattr } for  pid=12289 comm=httpd name=compiled dev=vda3 ino=77386 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir 
----
type=SOCKADDR msg=audit(05/12/2015 08:27:35.274:121) : saddr=inet host:127.0.0.1 serv:8652 
type=SYSCALL msg=audit(05/12/2015 08:27:35.274:121) : arch=x86_64 syscall=connect success=no exit=-115(Operation now in progress) a0=0x35 a1=0x7f48a4fb4fe8 a2=0x10 a3=0x40 items=0 ppid=12067 pid=12289 auid=root uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 08:27:35.274:121) : avc:  denied  { name_connect } for  pid=12289 comm=httpd dest=8652 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket 
----

Comment 5 Milos Malik 2015-05-12 06:41:22 UTC

Here is a workaround for the { name_connect } AVC:

# semanage port -a -t http_port_t -p tcp 8652
# semanage port -l -C
SELinux Port Type              Proto    Port Number

http_port_t                    tcp      8652
#

Comment 7 Dan Yocum 2015-05-19 13:20:13 UTC

Ganglia?  Yes, EPEL. 

rrdtool?  No, RHEL.

Comment 13 Dan Yocum 2015-11-09 15:00:56 UTC

What's the cloned BZ number?

Comment 14 Milos Malik 2015-12-03 08:43:35 UTC

Here is the reason for the { setattr } AVC:

# restorecon -Rv /var
restorecon reset /var/lib/ganglia/conf/events.json context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/conf/event_color.json context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/classpath.cache.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_extra.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_host_metric_graphs.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_view.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_overview.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/footer.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/header.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
#