Bug 1558465

Summary: [OSP13] Collectd 5.8 SELinux denials
Product: Red Hat OpenStack Reporter: Matthias Runge <mrunge>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Udi Shkalim <ushkalim>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: jschluet, mburns, mgrepl, pkilambi, srevivo
Target Milestone: betaKeywords: Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.14-1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1559557 1559558 1559559 (view as bug list) Environment:
Last Closed: 2018-06-27 13:47:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1409844, 1559557, 1559558, 1559559    

Description Matthias Runge 2018-03-20 09:38:13 UTC
Description of problem:

type=AVC msg=audit(1521538176.491:1898): avc:  denied  { add_name } for  pid=28227 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1521538176.491:1898): avc:  denied  { create } for  pid=28227 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1521538176.491:1898): avc:  denied  { write open } for  pid=28227 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=423477 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file

Version-Release number of selected component (if applicable):
collectd-5.8.0-5 with collectd-rdt plugin, see https://bugzilla.redhat.com/show_bug.cgi?id=1409844#c24

How reproducible:
100%

putting selinux into permisive, it works.


This happens in osp10 - osp 13 and is required in all versions, since collectd 5.8 is being backported to OSP 10 - OSP 13

Additional info:

Comment 3 Lon Hohberger 2018-03-21 15:05:21 UTC
The file needs a default label - is it just /run/lock/libpqos ?

Comment 4 Matthias Runge 2018-03-21 15:27:45 UTC
type=AVC msg=audit(1521626242.055:83): avc:  denied  { read } for  pid=1443 comm="collectd" name="lock" d
ev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclas
s=lnk_file
type=AVC msg=audit(1521626242.055:83): avc:  denied  { write } for  pid=1443 comm="collectd" name="lock" 
dev="tmpfs" ino=9300 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tc
lass=dir
type=AVC msg=audit(1521626242.055:83): avc:  denied  { add_name } for  pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1521626242.055:83): avc:  denied  { create } for  pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1521626242.055:83): avc:  denied  { write open } for  pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521626242.055:83): arch=c000003e syscall=2 success=yes exit=3 a0=7f42361aa28f a1=41 a2=1a4 a3=73 items=0 ppid=1 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521626242.055:83): proctitle="/usr/sbin/collectd"
type=AVC msg=audit(1521626242.055:84): avc:  denied  { lock } for  pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521626242.055:84): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffe7a755a50 a3=73 items=0 ppid=1 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521626242.055:84): proctitle="/usr/sbin/collectd"
type=SERVICE_START msg=audit(1521626242.059:85): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xinetd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1521629666.167:1293): avc:  denied  { read } for  pid=20204 comm="collectd" name="lock
" dev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tc
lass=lnk_file
type=AVC msg=audit(1521629666.167:1293): avc:  denied  { write } for  pid=20204 comm="collectd" name="libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1521629666.167:1293): avc:  denied  { open } for  pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521629666.167:1293): arch=c000003e syscall=2 success=yes exit=3 a0=7efccfded28f a1=41 a2=1a4 a3=73 items=0 ppid=1 pid=20204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521629666.167:1293): proctitle="/usr/sbin/collectd"
type=AVC msg=audit(1521629666.168:1294): avc:  denied  { lock } for  pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521629666.168:1294): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffdf47bf200 a3=73 items=0 ppid=1 pid=20204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521629666.168:1294): proctitle="/usr/sbin/collectd"
type=AVC msg=audit(1521629666.169:1295): avc:  denied  { read write } for  pid=20204 comm="collectd" name="msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file
type=AVC msg=audit(1521629666.169:1295): avc:  denied  { open } for  pid=20204 comm="collectd" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file
type=AVC msg=audit(1521629666.169:1295): avc:  denied  { sys_rawio } for  pid=20204 comm="collectd" capability=17  scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capab

Comment 5 Lon Hohberger 2018-03-21 19:10:04 UTC
... and this is all from the 5.8.0 rebase.

The raw audit2allow output on F27 is:

allow collectd_t cpu_device_t:chr_file { open read write };
allow collectd_t self:capability sys_rawio;
allow collectd_t var_lock_t:dir add_name;
allow collectd_t var_lock_t:file { create lock open write };

... meaning Fedora is out of date. I'll see where selinux-policy on github is.

Comment 6 Matthias Runge 2018-03-21 20:52:00 UTC
Fedora just disables inte- rdt plugin: https://src.fedoraproject.org/rpms/collectd/blob/master/f/collectd.spec#_699

Comment 14 Lon Hohberger 2018-05-10 18:15:25 UTC
0.8.14-1 has /usr/share/openstack-selinux/0.8.14/tests/bz1558465; and all regression tests based on AVCs passed.

Comment 16 errata-xmlrpc 2018-06-27 13:47:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086