Bug 1517862

Summary: SELinux errors for pcp-pmda-postfix
Product: Red Hat Enterprise Linux 7 Reporter: Ugo Bellavance <ubellavance>
Component: pcpAssignee: Lukas Berk <lberk>
Status: CLOSED ERRATA QA Contact: Michal Kolar <mkolar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: bgollahe, brolley, fche, lberk, mcermak, mgoodwin, mkolar, nathans
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcp-3.12.2-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 17:08:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ugo Bellavance 2017-11-27 15:45:58 UTC 
Description of problem:
The postfix PMDA doesn't work in install because of SELinux denials


Version-Release number of selected component (if applicable):
3.11.8-7

How reproducible:
Always

Steps to Reproduce:
1. Install pcp and 
2. pcp-pmda-postfix
3. Install the PMDA by running the Install script
4. Run pminfo -f postfix or use pmchart to try to display postfix values

Actual results:

For pminfo: postfix: pmLookupName: IPC protocol failure
For pmchart: Cannot get children of the node "postfix". No PMCD agent for domain of request.

Expected results:
Show metrics

Additional info:

SELinux-related actions to make it work:

setsebool -P pcp_read_generic_logs 1

Also, even if the boolean is set, there are other SElinux errors:

=================================
SELinux is preventing /usr/bin/perl from read access on the directory /var/spool/postfix/maildrop.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that perl should be allowed read access on the maildrop directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qshape' --raw | audit2allow -M my-qshape
# semodule -i my-qshape.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:object_r:postfix_spool_t:s0
Target Objects                /var/spool/postfix/maildrop [ dir ]
Source                        qshape
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          atqvcs1.atqlan.agri-tracabilite.qc.ca
Source RPM Packages           perl-5.16.3-292.el7.x86_64
Target RPM Packages           postfix-2.10.1-6.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-166.el7_4.5.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     atqvcs1.atqlan.agri-tracabilite.qc.ca
Platform                      Linux atqvcs1.atqlan.agri-tracabilite.qc.ca
                              3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 13
                              10:46:25 EDT 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-11-27 10:35:25 EST
Last Seen                     2017-11-27 10:35:25 EST
Local ID                      ac5d9c42-8e4b-4f54-a3d4-90e7c02d369c

Raw Audit Messages
type=AVC msg=audit(1511796925.305:201871): avc:  denied  { read } for  pid=13416 comm="qshape" name="maildrop" dev="dm-4" ino=8388759 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir


type=SYSCALL msg=audit(1511796925.305:201871): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=1181210 a2=90800 a3=0 items=0 ppid=13385 pid=13416 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=qshape exe=/usr/bin/perl subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)

Hash: qshape,pcp_pmcd_t,postfix_spool_t,dir,read
==================================================

=========================
SELinux is preventing /usr/bin/bash from using the signal access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed signal access on processes labeled pcp_pmcd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmsignal' --raw | audit2allow -M my-pmsignal
# semodule -i my-pmsignal.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmie_t:s0
Target Context                system_u:system_r:pcp_pmcd_t:s0
Target Objects                Unknown [ process ]
Source                        pmsignal
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          atqvcs1.atqlan.agri-tracabilite.qc.ca
Source RPM Packages           bash-4.2.46-29.el7_4.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-166.el7_4.5.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     atqvcs1.atqlan.agri-tracabilite.qc.ca
Platform                      Linux atqvcs1.atqlan.agri-tracabilite.qc.ca
                              3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 13
                              10:46:25 EDT 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-11-27 10:41:55 EST
Last Seen                     2017-11-27 10:41:55 EST
Local ID                      cd93f89a-9575-4115-a862-79e5d74ef676

Raw Audit Messages
type=AVC msg=audit(1511797315.75:201934): avc:  denied  { signal } for  pid=13680 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=process


type=SYSCALL msg=audit(1511797315.75:201934): arch=x86_64 syscall=kill success=no exit=EACCES a0=3441 a1=1 a2=0 a3=7ffcdd807c10 items=0 ppid=13679 pid=13680 auid=4294967295 uid=990 gid=987 euid=990 suid=990 fsuid=990 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=pmsignal exe=/usr/bin/bash subj=system_u:system_r:pcp_pmie_t:s0 key=(null)

Hash: pmsignal,pcp_pmie_t,pcp_pmcd_t,process,signal
===================================================
Comment 2 Lukas Berk 2017-11-27 17:42:31 UTC 
Fixed in upstream tree, will be added to upstream

commit 03aa6b7e2c17e6d4a713f542c8e04c410f257c40
Author: Lukas Berk <lberk>
Date:   Mon Nov 27 12:35:32 2017 -0500

    selinux: RHBZ1517862 postfix context access addition
    
    add context access for postfix_spool_t dir read's
    update testcase

the pcp_pmie_t/pcp_pmcd_t rule was already added in: 

commit 531330542ee083cdb220d08ab798356a30f1dd39
Author: Lukas Berk <lberk>
Date:   Wed Apr 19 17:02:26 2017 -0400

    selinux: RHBZ1443632 missing capability for qa purposes
Comment 4 Michal Kolar 2018-02-21 09:32:16 UTC 
Verified against pcp-3.12.2-5.el7.
Comment 8 errata-xmlrpc 2018-04-10 17:08:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0926