Bug 1661046

Summary: SELinux policy issues with smokeping-2.7.2-1.fc28
Product: [Fedora] Fedora Reporter: Bradi <brad.inch>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: 30CC: cra, dave, dwalsh, fedora, jperrin, lvrabec, plautrba, pzeppegno, sheltren, terje.rosten, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-06 15:45:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bradi 2018-12-19 23:16:19 UTC
Description of problem:
Multiple AVC generated by default smokeping package.

Version-Release number of selected component (if applicable):
smokeping-2.7.2-1.fc28

How reproducible:
Consistently

Steps to Reproduce:
1. Install smokeping package
2. Configure / start smokeping
3. View AVC denials

Actual results:
1.
type=AVC msg=audit(1545260850.2:5920): avc:  denied  { setpgid } for  pid=3553 comm="/usr/sbin/smoke" scontext=system_u:system_r:smokeping_t:s0 tcontext=system_u:system_r:smokeping_t:s0 tclass=process permissive=1

2.
type=AVC msg=audit(1545260803.116:5919): avc:  denied  { map } for  pid=20691 comm="smokeping.fcgi" path="/var/lib/smokeping/rrd/WAN_Ping/Google_DNS.rrd" dev="dm-1" ino=123776414 scontext=system_u:system_r:smokeping_cgi_script_t:s0 tcontext=system_u:object_r:smokeping_var_lib_t:s0 tclass=file permissive=1

3.
type=AVC msg=audit(1545260756.378:5918): avc:  denied  { map } for  pid=20544 comm="/usr/sbin/smoke" path="/var/lib/smokeping/rrd/WAN_Ping/TradeMe.rrd" dev="dm-1" ino=123776411 scontext=system_u:system_r:smokeping_t:s0 tcontext=system_u:object_r:smokeping_var_lib_t:s0 tclass=file permissive=1

Expected results:
No audit entries created during normal use

Additional info:

Comment 1 pzeppegno 2019-03-01 22:44:15 UTC
My logs are flooded by this error. Can someone do something about it?

Comment 2 pzeppegno 2019-03-01 22:45:23 UTC
(In reply to pzeppegno from comment #1)
> My logs are flooded by this error. Can someone do something about it?

I'm actually on Fedora 29 using smokeping-2.7.2-2.fc29.noarch

Comment 3 Lukas Vrabec 2019-03-04 13:04:05 UTC
commit 84e1abb30fd956e239215f7027f35457fb3f0fb9 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Mar 4 14:01:59 2019 +0100

    Allow smokeping process to mmap own var lib files and allow set process
    group.
    Resolves: rhbz#1661046

Comment 4 Ben Cotton 2019-05-02 19:23:37 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 5 Zdenek Pytela 2019-05-06 10:00:19 UTC
The permissions were added to Fedora 29 and 30:

# sesearch -A -s smokeping_t -t smokeping_t -c process -p setpgid,signal_perms
allow smokeping_t smokeping_t:process { fork getcap getsched setpgid sigchld sigkill signal signull sigstop };

# sesearch -A -s smokeping_t -t smokeping_var_lib_t -c file -p map
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow smokeping_t smokeping_var_lib_t:file { append create getattr ioctl link lock map open read rename setattr unlink write };

# sesearch -A -s smokeping_cgi_script_t -t smokeping_var_lib_t -c file -p map
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow smokeping_cgi_script_t smokeping_var_lib_t:file { append create getattr ioctl link lock map open read rename setattr unlink write };

Are you still experiencing any issue as the reported ones?

Comment 6 Bradi 2019-10-25 21:19:55 UTC
Hey, sorry for the delay in getting back to you regarding this, I moved on to other monitoring tools.  Have just tested this on my Fedora 30 workstation and found the following.

SELinux is preventing smokeping from using the dac_override capability.
Source Context                system_u:system_r:smokeping_t:s0
Target Context                system_u:system_r:smokeping_t:s0
Target Objects                Unknown [ capability ]
Source                        smokeping
Source Path                   smokeping
Policy RPM                    selinux-policy-3.14.3-46.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing

Raw Audit Messages
type=AVC msg=audit(1572037008.407:1029): avc:  denied  { dac_override } for  pid=6707 comm="smokeping" capability=1  scontext=system_u:system_r:smokeping_t:s0 tcontext=system_u:system_r:smokeping_t:s0 tclass=capability permissive=0

Hash: smokeping,smokeping_t,smokeping_t,capability,dac_override

Resolved by creating a module to allow

module smokeping_1 1.0;

require {
	type smokeping_t;
	type smokeping_var_lib_t;
	type smokeping_cgi_script_t;
	class file map;
	class capability dac_override;
}

#============= smokeping_cgi_script_t ==============

#!!!! This avc is allowed in the current policy
allow smokeping_cgi_script_t smokeping_var_lib_t:file map;

#============= smokeping_t ==============
allow smokeping_t self:capability dac_override;

#!!!! This avc is allowed in the current policy
allow smokeping_t smokeping_var_lib_t:file map;