Bug 1558465
| Summary: | [OSP13] Collectd 5.8 SELinux denials | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Matthias Runge <mrunge> | |
| Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | |
| Status: | CLOSED ERRATA | QA Contact: | Udi Shkalim <ushkalim> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 13.0 (Queens) | CC: | jschluet, mburns, mgrepl, pkilambi, srevivo | |
| Target Milestone: | beta | Keywords: | Triaged | |
| Target Release: | 13.0 (Queens) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openstack-selinux-0.8.14-1.el7ost | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1559557 1559558 1559559 (view as bug list) | Environment: | ||
| Last Closed: | 2018-06-27 13:47:45 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1409844, 1559557, 1559558, 1559559 | |||
The file needs a default label - is it just /run/lock/libpqos ? type=AVC msg=audit(1521626242.055:83): avc: denied { read } for pid=1443 comm="collectd" name="lock" d
ev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclas
s=lnk_file
type=AVC msg=audit(1521626242.055:83): avc: denied { write } for pid=1443 comm="collectd" name="lock"
dev="tmpfs" ino=9300 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tc
lass=dir
type=AVC msg=audit(1521626242.055:83): avc: denied { add_name } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1521626242.055:83): avc: denied { create } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1521626242.055:83): avc: denied { write open } for pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521626242.055:83): arch=c000003e syscall=2 success=yes exit=3 a0=7f42361aa28f a1=41 a2=1a4 a3=73 items=0 ppid=1 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521626242.055:83): proctitle="/usr/sbin/collectd"
type=AVC msg=audit(1521626242.055:84): avc: denied { lock } for pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521626242.055:84): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffe7a755a50 a3=73 items=0 ppid=1 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521626242.055:84): proctitle="/usr/sbin/collectd"
type=SERVICE_START msg=audit(1521626242.059:85): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xinetd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1521629666.167:1293): avc: denied { read } for pid=20204 comm="collectd" name="lock
" dev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tc
lass=lnk_file
type=AVC msg=audit(1521629666.167:1293): avc: denied { write } for pid=20204 comm="collectd" name="libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1521629666.167:1293): avc: denied { open } for pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521629666.167:1293): arch=c000003e syscall=2 success=yes exit=3 a0=7efccfded28f a1=41 a2=1a4 a3=73 items=0 ppid=1 pid=20204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521629666.167:1293): proctitle="/usr/sbin/collectd"
type=AVC msg=audit(1521629666.168:1294): avc: denied { lock } for pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521629666.168:1294): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffdf47bf200 a3=73 items=0 ppid=1 pid=20204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521629666.168:1294): proctitle="/usr/sbin/collectd"
type=AVC msg=audit(1521629666.169:1295): avc: denied { read write } for pid=20204 comm="collectd" name="msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file
type=AVC msg=audit(1521629666.169:1295): avc: denied { open } for pid=20204 comm="collectd" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file
type=AVC msg=audit(1521629666.169:1295): avc: denied { sys_rawio } for pid=20204 comm="collectd" capability=17 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capab
... and this is all from the 5.8.0 rebase.
The raw audit2allow output on F27 is:
allow collectd_t cpu_device_t:chr_file { open read write };
allow collectd_t self:capability sys_rawio;
allow collectd_t var_lock_t:dir add_name;
allow collectd_t var_lock_t:file { create lock open write };
... meaning Fedora is out of date. I'll see where selinux-policy on github is.
Fedora just disables inte- rdt plugin: https://src.fedoraproject.org/rpms/collectd/blob/master/f/collectd.spec#_699 0.8.14-1 has /usr/share/openstack-selinux/0.8.14/tests/bz1558465; and all regression tests based on AVCs passed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086 |
Description of problem: type=AVC msg=audit(1521538176.491:1898): avc: denied { add_name } for pid=28227 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1521538176.491:1898): avc: denied { create } for pid=28227 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1521538176.491:1898): avc: denied { write open } for pid=28227 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=423477 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file Version-Release number of selected component (if applicable): collectd-5.8.0-5 with collectd-rdt plugin, see https://bugzilla.redhat.com/show_bug.cgi?id=1409844#c24 How reproducible: 100% putting selinux into permisive, it works. This happens in osp10 - osp 13 and is required in all versions, since collectd 5.8 is being backported to OSP 10 - OSP 13 Additional info: