Bug 1262902

Summary: SELinux is preventing PCP's nginx PMDA to collect statistics.
Product: [Fedora] Fedora Reporter: Tadej Janež <tadej.j>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 22CC: bperkins, dominick.grift, dwalsh, lvrabec, mgrepl, nathans, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 20:37:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tadej Janež 2015-09-14 15:06:25 UTC
Description of problem:
Current SELinux policy is preventing the Performance Metrics Domain Agent (PMDA) for nginx (part of the Performance Co-Pilot (PCP) suite) access to nginx's statistics available at http://localhost/nginx_status.


Version-Release number of selected components:
selinux-policy-targeted-3.13.1-128.12.fc22.noarch
pcp-pmda-nginx-3.10.6-1.fc22.x86_64
nginx-1.8.0-10.fc22.x86_64


How reproducible:
Always.

Steps to Reproduce:
1. sudo dnf install nginx
2. create a file in /etc/nginx/default.d/nginx_status.conf with the following contents:
location /nginx_status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    allow ::1;
    deny all;
}
3. sudo systemctl restart nginx.service
4. sudo dnf install "perl(LWP::UserAgent)" pcp-collector
5. sudo touch /var/lib/pcp/pmdas/nginx/.NeedInstall
6. sudo systemctl restart pmcd.service
7. pmval nginx.requests_count

Actual results:
[root@collector vagrant]# pmval nginx.requests_count 

metric:    nginx.requests_count
host:      collector
semantics: cumulative counter (converting to rate)
units:     count (converting to count / sec)
samples:   all

pmval: pmFetch: Unknown or illegal metric identifier

pmval: pmFetch: Unknown or illegal metric identifier

pmval: pmFetch: Unknown or illegal metric identifier

pmval: pmFetch: Unknown or illegal metric identifier

The relevant line from /var/log/audit/audit.log:
type=AVC msg=audit(1442242235.474:225): avc:  denied  { name_connect } for  pid=532 comm="perl" dest=80 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0


Expected results:
[root@collector vagrant]# pmval nginx.requests_count 

metric:    nginx.requests_count
host:      collector
semantics: cumulative counter (converting to rate)
units:     count (converting to count / sec)
samples:   all
               0.9982
               0.9982
               0.9981

Comment 1 Fedora End Of Life 2016-07-19 20:37:33 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.