Bug 1558465
Summary: | [OSP13] Collectd 5.8 SELinux denials | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Matthias Runge <mrunge> | |
Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | |
Status: | CLOSED ERRATA | QA Contact: | Udi Shkalim <ushkalim> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 13.0 (Queens) | CC: | jschluet, mburns, mgrepl, pkilambi, srevivo | |
Target Milestone: | beta | Keywords: | Triaged | |
Target Release: | 13.0 (Queens) | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | openstack-selinux-0.8.14-1.el7ost | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1559557 1559558 1559559 (view as bug list) | Environment: | ||
Last Closed: | 2018-06-27 13:47:45 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1409844, 1559557, 1559558, 1559559 |
Description
Matthias Runge
2018-03-20 09:38:13 UTC
The file needs a default label - is it just /run/lock/libpqos ? type=AVC msg=audit(1521626242.055:83): avc: denied { read } for pid=1443 comm="collectd" name="lock" d ev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclas s=lnk_file type=AVC msg=audit(1521626242.055:83): avc: denied { write } for pid=1443 comm="collectd" name="lock" dev="tmpfs" ino=9300 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tc lass=dir type=AVC msg=audit(1521626242.055:83): avc: denied { add_name } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1521626242.055:83): avc: denied { create } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1521626242.055:83): avc: denied { write open } for pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1521626242.055:83): arch=c000003e syscall=2 success=yes exit=3 a0=7f42361aa28f a1=41 a2=1a4 a3=73 items=0 ppid=1 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null) type=PROCTITLE msg=audit(1521626242.055:83): proctitle="/usr/sbin/collectd" type=AVC msg=audit(1521626242.055:84): avc: denied { lock } for pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1521626242.055:84): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffe7a755a50 a3=73 items=0 ppid=1 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null) type=PROCTITLE msg=audit(1521626242.055:84): proctitle="/usr/sbin/collectd" type=SERVICE_START msg=audit(1521626242.059:85): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xinetd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1521629666.167:1293): avc: denied { read } for pid=20204 comm="collectd" name="lock " dev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tc lass=lnk_file type=AVC msg=audit(1521629666.167:1293): avc: denied { write } for pid=20204 comm="collectd" name="libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1521629666.167:1293): avc: denied { open } for pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1521629666.167:1293): arch=c000003e syscall=2 success=yes exit=3 a0=7efccfded28f a1=41 a2=1a4 a3=73 items=0 ppid=1 pid=20204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null) type=PROCTITLE msg=audit(1521629666.167:1293): proctitle="/usr/sbin/collectd" type=AVC msg=audit(1521629666.168:1294): avc: denied { lock } for pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1521629666.168:1294): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffdf47bf200 a3=73 items=0 ppid=1 pid=20204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null) type=PROCTITLE msg=audit(1521629666.168:1294): proctitle="/usr/sbin/collectd" type=AVC msg=audit(1521629666.169:1295): avc: denied { read write } for pid=20204 comm="collectd" name="msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file type=AVC msg=audit(1521629666.169:1295): avc: denied { open } for pid=20204 comm="collectd" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file type=AVC msg=audit(1521629666.169:1295): avc: denied { sys_rawio } for pid=20204 comm="collectd" capability=17 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capab ... and this is all from the 5.8.0 rebase. The raw audit2allow output on F27 is: allow collectd_t cpu_device_t:chr_file { open read write }; allow collectd_t self:capability sys_rawio; allow collectd_t var_lock_t:dir add_name; allow collectd_t var_lock_t:file { create lock open write }; ... meaning Fedora is out of date. I'll see where selinux-policy on github is. Fedora just disables inte- rdt plugin: https://src.fedoraproject.org/rpms/collectd/blob/master/f/collectd.spec#_699 0.8.14-1 has /usr/share/openstack-selinux/0.8.14/tests/bz1558465; and all regression tests based on AVCs passed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086 |