Bug 1622253
| Summary: | pcp-pmda-named does not work due to selinux blocking perl access to /var/named/data/named_stats.txt | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Chris Cheney <ccheney> |
| Component: | pcp | Assignee: | pcp-maint <pcp-maint> |
| Status: | CLOSED DUPLICATE | QA Contact: | qe-baseos-tools-bugs |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.5 | CC: | cww, fche, lberk, mgoodwin, nathans, tbowling |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-03-04 00:22:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1647308 | ||
| Bug Blocks: | 1594286 | ||
Fixed upstream in commit:
commit 7e7203c27c03c20a2cadcb75b8d351da0a11ec1a
Author: Lukas Berk <lberk>
Date: Thu Sep 6 18:27:36 2018 -0400
selinux: RHBZ1622253 pmdanamed avc denials
Fixed by rebase in 7.7 *** This bug has been marked as a duplicate of bug 1647308 *** |
From customer case description: Installed pcp pcp-pmda-named to trouble shoot some DNS questions. the selinux logs complained on perl access to the /var/named/data/named_stats.txt and rndc binary alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/perl from search access on the directory /var/named/data/named_stats.txt. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /var/named/data/named_stats.txt default label should be named_cache_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /var/named/data/named_stats.txt ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that perl should be allowed search access on the named_stats.txt directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'perl' --raw | audit2allow -M my-perl # semodule -i my-perl.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:object_r:named_zone_t:s0 Target Objects /var/named/data/named_stats.txt [ dir ] Source perl Source Path /usr/bin/perl Port <Unknown> Host <Unknown> Source RPM Packages perl-5.16.3-292.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-192.el7_5.4.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (redacted) Platform Linux (redacted) 3.10.0-862.9.1.el7.x86_64 #1 SMP Wed Jun 27 04:30:39 EDT 2018 x86_64 x86_64 Alert Count 4 First Seen 2018-07-25 11:31:45 MDT Last Seen 2018-07-25 11:36:14 MDT Local ID 5ac8394c-b8fd-4b8b-b114-a451e9e6fad7 Raw Audit Messages type=AVC msg=audit(1532540174.341:22480): avc: denied { search } for pid=25668 comm="perl" name="named" dev="dm-3" ino=2128175 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=SYSCALL msg=audit(1532540174.341:22480): arch=x86_64 syscall=stat success=no exit=EACCES a0=1204660 a1=11ce138 a2=11ce138 a3=6d616e2f7261762f items=1 ppid=19869 pid=25668 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=perl exe=/usr/bin/perl subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=CWD msg=audit(1532540174.341:22480): cwd=/var/log/pcp/pmcd type=PATH msg=audit(1532540174.341:22480): item=0 name=/var/named/data/named_stats.txt objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: perl,pcp_pmcd_t,named_zone_t,dir,search SELinux is preventing /usr/bin/perl from 'read, open' accesses on the file /usr/sbin/rndc. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that perl should be allowed read open access on the rndc file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'perl' --raw | audit2allow -M my-perl # semodule -i my-perl.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:object_r:ndc_exec_t:s0 Target Objects /usr/sbin/rndc [ file ] Source perl Source Path /usr/bin/perl Port <Unknown> Host <Unknown> Source RPM Packages perl-5.16.3-292.el7.x86_64 Target RPM Packages bind-9.9.4-61.el7.x86_64 Policy RPM selinux-policy-3.13.1-192.el7_5.4.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (redacted) Platform Linux (redacted) 3.10.0-862.9.1.el7.x86_64 #1 SMP Wed Jun 27 04:30:39 EDT 2018 x86_64 x86_64 Alert Count 9 First Seen 2018-07-25 11:49:49 MDT Last Seen 2018-07-25 11:51:02 MDT Local ID 408ab5d1-d8a0-4a96-8394-59dc9bbf0eab Raw Audit Messages type=AVC msg=audit(1532541062.782:32023): avc: denied { read open } for pid=30511 comm="perl" path="/usr/sbin/rndc" dev="dm-0" ino=9699441 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ndc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1532541062.782:32023): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff46e8b2dd a1=23358e0 a2=231a1f0 a3=7fff46e8ade0 items=1 ppid=29837 pid=30511 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm=perl exe=/usr/bin/perl subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=CWD msg=audit(1532541062.782:32023): cwd=/var/log/pcp/pmcd type=PATH msg=audit(1532541062.782:32023): item=0 name=/usr/sbin/rndc inode=9699441 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ndc_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: perl,pcp_pmcd_t,ndc_exec_t,file,read,open --- Additionally TSE has reproduced the same problem in house: I tested reproducing the customers steps in the case description. I can reproduce the denial, and confirm that the setroubleshoot recommendation of a blanket perl module (probably not a good idea anyways) still yields these denials, even after being loaded: Aug 14 20:24:01 r74 setroubleshoot: SELinux is preventing /usr/bin/perl from search access on the directory data. For complete SELinux messages run: sealert -l f14ac5f9-d425-4490-93d0-e47337ef1408 Aug 14 20:24:01 r74 python: SELinux is preventing /usr/bin/perl from search access on the directory data.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that perl should be allowed search access on the data directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'perl' --raw | audit2allow -M my-perl#012# semodule -i my-perl.pp#012 Aug 14 20:24:01 r74 setroubleshoot: SELinux is preventing /usr/bin/perl from search access on the directory data. For complete SELinux messages run: sealert -l f14ac5f9-d425-4490-93d0-e47337ef1408 Aug 14 20:24:01 r74 python: SELinux is preventing /usr/bin/perl from search access on the directory data.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that perl should be allowed search access on the data directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'perl' --raw | audit2allow -M my-perl#012# semodule -i my-perl.pp#012 Version-Release number of selected component (if applicable): 3.12.2-5