Bug 1371496
| Summary: | Network utilization doesn't work with SELinux in enforcing mode | |||
|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Storage Console | Reporter: | Daniel Horák <dahorak> | |
| Component: | core | Assignee: | Nishanth Thomas <nthomas> | |
| core sub component: | monitoring | QA Contact: | Daniel Horák <dahorak> | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | high | |||
| Priority: | unspecified | CC: | anbabu, dahorak, lvrabec, mbukatov, mkudlej, mmalik, tjeyasin, vsarmila | |
| Version: | 2 | |||
| Target Milestone: | --- | |||
| Target Release: | 2 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | rhscon-core-0.0.42.1.el7scon | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1377259 (view as bug list) | Environment: | ||
| Last Closed: | 2016-10-19 15:21:56 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1377259 | |||
| Bug Blocks: | 1357777 | |||
|
Description
Daniel Horák
2016-08-30 10:38:47 UTC
It is probably related to following AVC log:
----
time->Tue Aug 30 04:29:50 2016
type=SYSCALL msg=audit(1472545790.563:39511): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffc6a7f3e90 a2=1c a3=7ffc6a7f36e0 items=0 ppid=140626 pid=140627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="socat" exe="/usr/bin/socat" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1472545790.563:39511): avc: denied { connectto } for pid=140627 comm="socat" path="/run/collectd-unixsock" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=unix_stream_socket
----
Looks like the file '/run/collectd-unixsock' is mislabeled Can you try "restorecon -R -v /run/collectd-unixsock" which fixes this issue. This command doesn't change anything: ~~~~~~~~~~~~~~~~~~~~~~~ # ll -Z /run/collectd-unixsock srwxrwx---. root wheel system_u:object_r:collectd_var_run_t:s0 /run/collectd-unixsock # restorecon -R -v /run/collectd-unixsock # ll -Z /run/collectd-unixsock srwxrwx---. root wheel system_u:object_r:collectd_var_run_t:s0 /run/collectd-unixsock ~~~~~~~~~~~~~~~~~~~~~~~ # rpm -qa selinux-policy\* selinux-policy-mls-3.13.1-96.el7.noarch selinux-policy-sandbox-3.13.1-96.el7.noarch selinux-policy-3.13.1-96.el7.noarch selinux-policy-targeted-3.13.1-96.el7.noarch selinux-policy-devel-3.13.1-96.el7.noarch selinux-policy-doc-3.13.1-96.el7.noarch selinux-policy-minimum-3.13.1-96.el7.noarch # sesearch -s collectd_t -t collectd_t -c unix_stream_socket -A -C -p connectto Found 1 semantic av rules: DT allow daemon daemon : unix_stream_socket connectto ; [ daemons_enable_cluster_mode ] # I don't recommend enabling the daemons_enable_cluster_mode boolean, because it has too broad effect. It would be better to add an allow rule just for collectd_t. Could you re-test the scenario after applying this workaround? # cat bz1371496.te policy_module(bz1371496, 1.0) require { type collectd_t; class unix_stream_socket { connectto }; } allow collectd_t collectd_t : unix_stream_socket { connectto }; # make -f /usr/share/selinux/devel/Makefile Compiling targeted bz1371496 module /usr/bin/checkmodule: loading policy configuration from tmp/bz1371496.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/bz1371496.mod Creating targeted bz1371496.pp policy package rm tmp/bz1371496.mod tmp/bz1371496.mod.fc # semodule -i bz1371496.pp # If you remove the policy module then it should be broken again: # semodule -r bz1371496 But the workaround won't be needed, once the fix gets into the selinux-policy. BTW the /usr/share/selinux/devel/Makefile comes from selinux-policy-devel RPM. I agree with milos with his fix here. Could somebody report this BZ on selinux-policy component? Thanks. I've check the workaround/fix from comment 7, and it works as expected. Created Bug 1377259 for RHEL selinux-policy. Sent patch for review: https://review.gerrithub.io/#/c/295008/ https://review.gerrithub.io/#/c/295091/ Tested and verified on:
Red Hat Enterprise Linux Server release 7.3 (Maipo)
USM Server:
ceph-ansible-1.0.5-34.el7scon.noarch
ceph-installer-1.0.15-2.el7scon.noarch
graphite-web-0.9.12-8.1.el7.noarch
graphite2-1.3.6-1.el7_2.x86_64
libcollection-0.6.2-27.el7.x86_64
rhscon-ceph-0.0.43-1.el7scon.x86_64
rhscon-core-0.0.45-1.el7scon.x86_64
rhscon-core-selinux-0.0.45-1.el7scon.noarch
rhscon-ui-0.0.59-1.el7scon.noarch
salt-selinux-0.0.43-1.el7scon.noarch
selinux-policy-3.13.1-102.el7.noarch
selinux-policy-targeted-3.13.1-102.el7.noarch
Ceph OSD/MON node:
calamari-server-1.4.8-1.el7cp.x86_64
ceph-base-10.2.2-41.el7cp.x86_64
ceph-common-10.2.2-41.el7cp.x86_64
ceph-mon-10.2.2-41.el7cp.x86_64
ceph-osd-10.2.2-41.el7cp.x86_64
ceph-selinux-10.2.2-41.el7cp.x86_64
collectd-ping-5.5.1-1.1.el7.x86_64
collectd-5.5.1-1.1.el7.x86_64
graphite2-1.3.6-1.el7_2.x86_64
libcollection-0.6.2-27.el7.x86_64
python-cephfs-10.2.2-41.el7cp.x86_64
rhscon-agent-0.0.19-1.el7scon.noarch
rhscon-core-selinux-0.0.45-1.el7scon.noarch
salt-selinux-0.0.45-1.el7scon.noarch
selinux-policy-targeted-3.13.1-102.el7.noarch
selinux-policy-3.13.1-102.el7.noarch
SELinux in enforcing mode.
Network Utilization charts shows real data.
>> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2016:2082 |