Bug 1252341
| Summary: | pmcd need access to temporary files in /var/lib/pcp/tmp/pmlogger | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Miloš Prchlík <mprchlik> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-41.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 10:43:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
commit 999616d0b11a7590963c786b27876fbe375775b9
Author: Lukas Vrabec <lvrabec>
Date: Tue Aug 11 15:20:26 2015 +0200
Allow pcp_domain to manage pcp_var_lib_t lnk_files.
Resolves: #1252341
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Description of problem: Recorded in enforcing mode: ---- time->Fri Aug 7 12:24:58 2015 type=SYSCALL msg=audit(1438943098.163:25298): arch=c000003e syscall=2 success=no exit=-13 a0=7fff372ce870 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=344 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="pmcd" exe="/usr/libexec/pcp/bin/pmcd" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=AVC msg=audit(1438943098.163:25298): avc: denied { read } for pid=344 comm="pmcd" name="primary" dev="dm-0" ino=68312743 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=lnk_file ---- time->Fri Aug 7 12:24:58 2015 type=SYSCALL msg=audit(1438943098.163:25299): arch=c000003e syscall=2 success=no exit=-13 a0=7fff372ce870 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=344 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="pmcd" exe="/usr/libexec/pcp/bin/pmcd" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=AVC msg=audit(1438943098.163:25299): avc: denied { read } for pid=344 comm="pmcd" name="primary" dev="dm-0" ino=68312743 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=lnk_file ---- time->Fri Aug 7 12:24:58 2015 type=SYSCALL msg=audit(1438943098.163:25300): arch=c000003e syscall=2 success=no exit=-13 a0=7fff372ce870 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=344 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="pmcd" exe="/usr/libexec/pcp/bin/pmcd" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=AVC msg=audit(1438943098.163:25300): avc: denied { read } for pid=344 comm="pmcd" name="primary" dev="dm-0" ino=68312743 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=lnk_file ---- time->Fri Aug 7 12:24:58 2015 type=SYSCALL msg=audit(1438943098.164:25301): arch=c000003e syscall=2 success=no exit=-13 a0=7fff372ce870 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=344 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="pmcd" exe="/usr/libexec/pcp/bin/pmcd" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=AVC msg=audit(1438943098.164:25301): avc: denied { read } for pid=344 comm="pmcd" name="primary" dev="dm-0" ino=68312743 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=lnk_file Recorded in permissive mode: type=AVC msg=audit(1439280985.718:28943): avc: denied { read } for pid=3484 comm="pmcd" name="primary" dev="dm-0" ino=1201683 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=lnk_file permissive=1 [root@apm-mustang-ev3-03 ~]# ls -alZ /var/lib/pcp/tmp/pmlogger/primary lrwxrwxrwx. pcp pcp system_u:object_r:pcp_var_lib_t:s0 /var/lib/pcp/tmp/pmlogger/primary -> /var/lib/pcp/tmp/pmlogger/7530 [root@apm-mustang-ev3-03 ~]# ls -alZ /var/lib/pcp/tmp/pmlogger/7530 -rw-r--r--. pcp pcp system_u:object_r:pcp_var_lib_t:s0 /var/lib/pcp/tmp/pmlogger/7530 [root@apm-mustang-ev3-03 ~]# ls -alZ /var/lib/pcp/tmp drwxrwxr-x. pcp pcp system_u:object_r:pcp_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:pcp_var_lib_t:s0 .. drwxrwxrwt. root root system_u:object_r:pcp_var_lib_t:s0 mmv drwx------. root root system_u:object_r:pcp_var_lib_t:s0 pmcd drwxrwxr-x. pcp pcp system_u:object_r:pcp_var_lib_t:s0 pmie drwxrwxr-x. pcp pcp system_u:object_r:pcp_var_lib_t:s0 pmlogger [root@apm-mustang-ev3-03 ~]# [root@apm-mustang-ev3-03 postfix]# ps xa --context | grep pcp 3484 system_u:system_r:pcp_pmcd_t:s0 /usr/libexec/pcp/bin/pmcd -T 3 3487 system_u:system_r:pcp_pmcd_t:s0 /var/lib/pcp/pmdas/root/pmdaroot -d 1 3488 system_u:system_r:pcp_pmcd_t:s0 /var/lib/pcp/pmdas/proc/pmdaproc -d 3 3489 system_u:system_r:pcp_pmcd_t:s0 /var/lib/pcp/pmdas/xfs/pmdaxfs -d 11 3490 system_u:system_r:pcp_pmcd_t:s0 /var/lib/pcp/pmdas/sample/pmdasample -d 29 3491 system_u:system_r:pcp_pmcd_t:s0 /var/lib/pcp/pmdas/linux/pmdalinux 3492 system_u:system_r:pcp_pmcd_t:s0 /var/lib/pcp/pmdas/simple/pmdasimple -d 253 7530 system_u:system_r:unconfined_service_t:s0 /usr/libexec/pcp/bin/pmlogger -P -r -T24h10m -c config.default -m pmlogger_check 20150811.04.16 7715 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 grep --color=auto pcp 18653 system_u:unconfined_r:unconfined_t:s0 /usr/libexec/pcp/bin/pmproxy [root@apm-mustang-ev3-03 postfix]# Version-Release number of selected component (if applicable): pcp-3.10.6-1.el7 selinux-policy-3.13.1-37.el7 How reproducible: Steps to Reproduce: 1. service pmcd start 2. service pmlogger start 3. wait for a while, opening /var/lib/pcp/tmp/pmlogger/primary is attempted periodicaly Actual results: Expected results: Additional info: