Bug 1270344

Summary: selinux denies pmdaapache access to port 80 for apache diagnostics
Product: Red Hat Enterprise Linux 7 Reporter: Lukas Berk <lberk>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Jan Zarsky <jzarsky>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: fche, lberk, lvrabec, mbenitez, mgrepl, mmalik, nathans, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-66.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:23:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
requested selinux output none

Description Lukas Berk 2015-10-09 17:39:06 UTC 
Description of problem:
selinux denies pmdaapache to gather apache statistics (the equivalent of running `curl http://localhost/server-status` ).

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-57

How reproducible:
Always

Steps to Reproduce:
1. enable extended apache statistics 
2. systemctl restart pmcd httpd
3. cd /var/lib/pcp/pmdas/apache
4. sudo ./Install

Actual results:
pmda is installed with warnings (and no stats values).  AVC denial is presented (output attached)


Expected results:
pmda should produce statistics from parsing http://localhost/server-status


Additional info:
SELinux is preventing /var/lib/pcp/pmdas/apache/pmdaapache from 'name_connect' accesses on the tcp_socket port 80.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that pmdaapache should be allowed name_connect access on the port 80 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pmdaapache /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:object_r:http_port_t:s0
Target Objects                port 80 [ tcp_socket ]
Source                        pmdaapache
Source Path                   /var/lib/pcp/pmdas/apache/pmdaapache
Port                          80
Host                          (removed)
Source RPM Packages           pcp-pmda-apache-3.10.6-2.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-57.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.10.0-322.el7.x86_64 #1 SMP Mon
                              Oct 5 21:41:10 EDT 2015 x86_64 x86_64
Alert Count                   22
First Seen                    2015-10-08 19:51:46 EDT
Last Seen                     2015-10-08 20:30:19 EDT
Local ID                      bce5d92d-9ca3-4bd4-853f-5323723734c6

Raw Audit Messages
type=AVC msg=audit(1444350619.254:697): avc:  denied  { name_connect } for  pid=23389 comm="pmdaapache" dest=80 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1444350619.254:697): arch=x86_64 syscall=connect success=no exit=EINPROGRESS a0=5 a1=7ffd45f1a8a0 a2=1c a3=7ffd45f1a8dc items=0 ppid=20568 pid=23389 auid=4294967295 uid=992 gid=990 euid=992 suid=992 fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=pmdaapache exe=/var/lib/pcp/pmdas/apache/pmdaapache subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)

Hash: pmdaapache,pcp_pmcd_t,http_port_t,tcp_socket,name_connect
Comment 2 Milos Malik 2015-10-11 20:41:13 UTC 
Could you re-run your scenario in enforcing mode and collect SELinux denials?

# setenforce 1
# <your-scenario>
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
Comment 3 Lukas Berk 2015-10-13 14:32:19 UTC 
Created attachment 1082469 [details]
requested selinux output
Comment 4 Mike McCune 2016-03-28 22:59:28 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 8 errata-xmlrpc 2016-11-04 02:23:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html