Bug 1661046
Summary: | SELinux policy issues with smokeping-2.7.2-1.fc28 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bradi <brad.inch> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 30 | CC: | cra, dave, dwalsh, fedora, jperrin, lvrabec, plautrba, pzeppegno, sheltren, terje.rosten, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-06 15:45:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bradi
2018-12-19 23:16:19 UTC
My logs are flooded by this error. Can someone do something about it? (In reply to pzeppegno from comment #1) > My logs are flooded by this error. Can someone do something about it? I'm actually on Fedora 29 using smokeping-2.7.2-2.fc29.noarch commit 84e1abb30fd956e239215f7027f35457fb3f0fb9 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Mar 4 14:01:59 2019 +0100 Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046 This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The permissions were added to Fedora 29 and 30: # sesearch -A -s smokeping_t -t smokeping_t -c process -p setpgid,signal_perms allow smokeping_t smokeping_t:process { fork getcap getsched setpgid sigchld sigkill signal signull sigstop }; # sesearch -A -s smokeping_t -t smokeping_var_lib_t -c file -p map allow domain file_type:file map; [ domain_can_mmap_files ]:True allow smokeping_t smokeping_var_lib_t:file { append create getattr ioctl link lock map open read rename setattr unlink write }; # sesearch -A -s smokeping_cgi_script_t -t smokeping_var_lib_t -c file -p map allow domain file_type:file map; [ domain_can_mmap_files ]:True allow smokeping_cgi_script_t smokeping_var_lib_t:file { append create getattr ioctl link lock map open read rename setattr unlink write }; Are you still experiencing any issue as the reported ones? Hey, sorry for the delay in getting back to you regarding this, I moved on to other monitoring tools. Have just tested this on my Fedora 30 workstation and found the following. SELinux is preventing smokeping from using the dac_override capability. Source Context system_u:system_r:smokeping_t:s0 Target Context system_u:system_r:smokeping_t:s0 Target Objects Unknown [ capability ] Source smokeping Source Path smokeping Policy RPM selinux-policy-3.14.3-46.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Raw Audit Messages type=AVC msg=audit(1572037008.407:1029): avc: denied { dac_override } for pid=6707 comm="smokeping" capability=1 scontext=system_u:system_r:smokeping_t:s0 tcontext=system_u:system_r:smokeping_t:s0 tclass=capability permissive=0 Hash: smokeping,smokeping_t,smokeping_t,capability,dac_override Resolved by creating a module to allow module smokeping_1 1.0; require { type smokeping_t; type smokeping_var_lib_t; type smokeping_cgi_script_t; class file map; class capability dac_override; } #============= smokeping_cgi_script_t ============== #!!!! This avc is allowed in the current policy allow smokeping_cgi_script_t smokeping_var_lib_t:file map; #============= smokeping_t ============== allow smokeping_t self:capability dac_override; #!!!! This avc is allowed in the current policy allow smokeping_t smokeping_var_lib_t:file map; |