Bug 1220663

Summary:	no selinux policies for rrdtool, httpd accessing gmetad port 8652
Product:	Red Hat Enterprise Linux 7	Reporter:	Milos Malik <mmalik>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED WONTFIX	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	low
Version:	7.1	CC:	dyocum, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:	1219900	Environment:
Last Closed:	2017-10-12 12:19:30 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Milos Malik 2015-05-12 07:19:18 UTC

Description of problem:
 * SELinux denials appear when accessing the ganglia web interface

NVRs:
ganglia-3.7.1-2.el7.x86_64
ganglia-gmetad-3.7.1-2.el7.x86_64
ganglia-gmond-3.7.1-2.el7.x86_64
ganglia-web-3.6.2-2.el7.x86_64
selinux-policy-3.13.1-24.el7.noarch
selinux-policy-devel-3.13.1-24.el7.noarch
selinux-policy-doc-3.13.1-24.el7.noarch
selinux-policy-minimum-3.13.1-24.el7.noarch
selinux-policy-mls-3.13.1-24.el7.noarch
selinux-policy-sandbox-3.13.1-24.el7.noarch
selinux-policy-targeted-3.13.1-24.el7.noarch

Reproducible:
 * always

Steps to Reproduce:
# yum -y install ganglia-gmond ganglia-gmetad ganglia-web
# service gmond start
# service gmetad start
# service httpd start
# links http://localhost/ganglia
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent

Actual results (enforcing mode):
----
type=SOCKADDR msg=audit(05/12/2015 09:03:55.016:182) : saddr=inet host:127.0.0.1 serv:8652 
type=SYSCALL msg=audit(05/12/2015 09:03:55.016:182) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x23 a1=0x7f24da9c9c10 a2=0x10 a3=0x0 items=0 ppid=3523 pid=3529 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 09:03:55.016:182) : avc:  denied  { name_connect } for  pid=3529 comm=httpd dest=8652 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----

Actual results (permissive mode):
----
type=PATH msg=audit(05/12/2015 09:17:35.461:222) : item=0 name=/var/lib/ganglia/dwoo/compiled/./ inode=21826000 dev=fd:02 mode=dir,755 ouid=apache ogid=apache rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=NORMAL 
type=CWD msg=audit(05/12/2015 09:17:35.461:222) :  cwd=/usr/share/ganglia 
type=SYSCALL msg=audit(05/12/2015 09:17:35.461:222) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7f24daace6a0 a1=0777 a2=0x7f24d758baa0 a3=0x7f24d74b2fd0 items=1 ppid=3523 pid=3528 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 09:17:35.461:222) : avc:  denied  { setattr } for  pid=3528 comm=httpd name=compiled dev="vda2" ino=21826000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir 
----
type=SOCKADDR msg=audit(05/12/2015 09:17:34.638:221) : saddr=inet host:127.0.0.1 serv:8652 
type=SYSCALL msg=audit(05/12/2015 09:17:34.638:221) : arch=x86_64 syscall=connect success=no exit=-115(Operation now in progress) a0=0x23 a1=0x7f24da9cfb98 a2=0x10 a3=0x0 items=0 ppid=3523 pid=3528 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 09:17:34.638:221) : avc:  denied  { name_connect } for  pid=3528 comm=httpd dest=8652 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----

Expected results:
 * ganglia web interface works
 * no AVCs

Comment 5 Lukas Vrabec 2017-10-12 12:19:30 UTC

We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.

Comment 6 Lukas Vrabec 2017-10-12 12:21:23 UTC

We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.