Bug 1359061

Summary: Missing type enforcement rules for collectd plugin log_logstash
Product: [Fedora] Fedora Reporter: christoph.koenig
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 27CC: christoph.koenig, dan, dominick.grift, dwalsh, gregswift, herrold, jskarvad, kevin, lvrabec, mail, mgrepl, mhlavink, mmalik, plautrba, pmoore, pvrabec, rh, ruben, ssekidde, vmojzis
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-284.37.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-08 15:33:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1393066    
Attachments:
Description Flags
Outputs ot audit2allow -w -a and audit2allow -a none

Description christoph.koenig 2016-07-22 08:28:04 UTC 
Created attachment 1182746 [details]
Outputs ot audit2allow -w -a and audit2allow -a

Description of problem: There is a missing type enforcement rule for collectd in selinux which causes errors in /var/log/messages


Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce:
1. install and run collectd with enabled log_logstash plugin on a selinux enabled machine

Actual results:
/var/log/messages: Jul 22 10:00:51 <hostname> collectd: log_logstash plugin: fopen (/var/log/collectd.json.log) failed: Permission denied


Expected results:
-no error/access allowed

Additional info:
In case additional information is required, I will provide it (at the moment, I am not sure what might be further required)
Comment 2 Lukas Vrabec 2016-07-27 15:55:25 UTC 
Could you attach raw avc msgs? (/var/log/audit/audit.log) 

Thank you.
Comment 4 christoph.koenig 2016-07-28 08:03:08 UTC 
I identified these messages (/var/log/audit/audit.log):

type=AVC msg=audit(1469692671.315:224730): avc:  denied  { execute } for  pid=26260 comm="collectd" name="mpstat" dev="dm-0" ino=9752245 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1469692671.315:224730): arch=c000003e syscall=59 success=no exit=-13 a0=7f63c4002b10 a1=7f63c4027ff0 a2=7f63e0506860 a3=7f63cbffdb70 items=0 ppid=1466 pid=26260 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1469692671.317:224731): avc:  denied  { write } for  pid=2224 comm="collectd" name="log" dev="dm-2" ino=1476395520 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1469692671.317:224731): arch=c000003e syscall=2 success=no exit=-13 a0=7f63e05149e0 a1=441 a2=1b6 a3=24 items=0 ppid=1 pid=2224 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
Comment 6 Lukas Vrabec 2017-03-21 15:54:43 UTC 
This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of  the affected component. As a starting point you can use policy provided by selinux-policy package. For more details  about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline.
Comment 7 Ruben Kerkhof 2017-03-21 16:05:08 UTC 
Lukas, wait a second. The collectd policy is in selinux-policy-targeted, but you're now expecting me to work around these AVCs in the collectd package itself?

I never confined collectd, and don't have the time, skills or the energy to maintain the SELinux policy for it. If I'm not mistaken you guys wrote the policy in the first place. So I'm sorry, but I'm giving you this issue back. If you can't keep up with the AVCs for collectd, please just remove the policy from selinux-policy-targeted.
Comment 8 Jan Kurik 2017-08-15 07:56:50 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 9 Vit Mojzis 2018-06-12 13:50:43 UTC 
https://github.com/fedora-selinux/selinux-policy-contrib/pull/60
Comment 10 Fedora Update System 2018-07-27 09:21:45 UTC 
selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
Comment 11 Fedora Update System 2018-07-27 15:38:37 UTC 
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
Comment 12 Fedora Update System 2018-08-08 15:33:19 UTC 
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.