Bug 1760883

Summary: SELinux prevents various nagios plugins from reading /sys/devices/system/cpu directory
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Richard Fiľo <rfilo>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 30CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-52.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-17 01:13:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2019-10-11 15:26:11 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.3-46.fc30.noarch
nagios-4.4.3-4.fc30.ppc64le
nagios-common-4.4.3-4.fc30.ppc64le
nagios-plugins-2.2.1-15.20180725git3429dad.fc30.ppc64le

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 30 machine (targeted policy is active)
2. run following automated TC:
 * /CoreOS/selinux-policy/Regression/bz1260306-nagios-cgi-scripts
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(09/26/2019 13:52:35.627:155) : proctitle=/usr/lib64/nagios/cgi-bin/histogram.cgi 
type=PATH msg=audit(09/26/2019 13:52:35.627:155) : item=0 name=/sys/devices/system/cpu inode=600 dev=00:13 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/26/2019 13:52:35.627:155) : cwd=/usr/lib64/nagios/cgi-bin 
type=SYSCALL msg=audit(09/26/2019 13:52:35.627:155) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fff9a31b348 a2=O_RDONLY|O_NONBLOCK|O_DIRECT|O_CLOEXEC a3=0x0 items=1 ppid=11048 pid=13980 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=histogram.cgi exe=/usr/lib64/nagios/cgi-bin/histogram.cgi subj=system_u:system_r:nagios_script_t:s0 key=(null) 
type=AVC msg=audit(09/26/2019 13:52:35.627:155) : avc:  denied  { read } for  pid=13980 comm=histogram.cgi name=cpu dev="sysfs" ino=600 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/26/2019 13:52:35.957:156) : proctitle=/usr/lib64/nagios/cgi-bin/statusmap.cgi 
type=PATH msg=audit(09/26/2019 13:52:35.957:156) : item=0 name=/sys/devices/system/cpu inode=600 dev=00:13 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/26/2019 13:52:35.957:156) : cwd=/usr/lib64/nagios/cgi-bin 
type=SYSCALL msg=audit(09/26/2019 13:52:35.957:156) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fff80abb348 a2=O_RDONLY|O_NONBLOCK|O_DIRECT|O_CLOEXEC a3=0x0 items=1 ppid=11048 pid=14148 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=statusmap.cgi exe=/usr/lib64/nagios/cgi-bin/statusmap.cgi subj=system_u:system_r:nagios_script_t:s0 key=(null) 
type=AVC msg=audit(09/26/2019 13:52:35.957:156) : avc:  denied  { read } for  pid=14148 comm=statusmap.cgi name=cpu dev="sysfs" ino=600 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/26/2019 13:52:36.177:157) : proctitle=/usr/lib64/nagios/cgi-bin/trends.cgi 
type=PATH msg=audit(09/26/2019 13:52:36.177:157) : item=0 name=/sys/devices/system/cpu inode=600 dev=00:13 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/26/2019 13:52:36.177:157) : cwd=/usr/lib64/nagios/cgi-bin 
type=SYSCALL msg=audit(09/26/2019 13:52:36.177:157) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fff9100b348 a2=O_RDONLY|O_NONBLOCK|O_DIRECT|O_CLOEXEC a3=0x0 items=1 ppid=11048 pid=14253 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=trends.cgi exe=/usr/lib64/nagios/cgi-bin/trends.cgi subj=system_u:system_r:nagios_script_t:s0 key=(null) 
type=AVC msg=audit(09/26/2019 13:52:36.177:157) : avc:  denied  { read } for  pid=14253 comm=trends.cgi name=cpu dev="sysfs" ino=600 scontext=system_u:system_r:nagios_script_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
----

Expected results:
 * no SELinux denials

Additional info:
Comment 2 Richard Fiľo 2019-10-17 15:36:29 UTC 
It will be fixed in SELinux policy package.

PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/153
Comment 3 Lukas Vrabec 2019-10-22 10:38:45 UTC 
commit 5e0b083d9f52817b6e5d940bb27315c1b816b620 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Richard Filo <rfilo>
Date:   Thu Oct 17 16:05:41 2019 +0200

    Allow nagios_script_t domain list files labled sysfs_t.
    
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1760883
Comment 4 Fedora Update System 2019-10-23 07:00:23 UTC 
FEDORA-2019-d68c9e27f8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
Comment 5 Fedora Update System 2019-10-25 19:33:59 UTC 
selinux-policy-3.14.3-50.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
Comment 6 Fedora Update System 2019-10-26 17:02:47 UTC 
FEDORA-2019-f83217e2bf has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
Comment 7 Fedora Update System 2019-10-27 03:54:44 UTC 
selinux-policy-3.14.3-51.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
Comment 8 Fedora Update System 2019-11-03 14:10:46 UTC 
FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
Comment 9 Fedora Update System 2019-11-04 02:10:11 UTC 
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
Comment 10 Fedora Update System 2019-11-17 01:13:04 UTC 
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.